Re: [PATCH] blk_init_allocated_queue() set q->fq as NULL in the fail case

From: Bart Van Assche
Date: Mon Jul 30 2018 - 01:12:08 EST

Next message: Stephen Rothwell: "linux-next: build failure after merge of the xen-tip tree"
Previous message: Amir Goldstein: "Re: [PATCH 03/16] vfs: don't evict uninitialized inode"
In reply to: Ming Lei: "Re: [PATCH] blk_init_allocated_queue() set q->fq as NULL in the fail case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2018-07-30 at 10:03 +-0800, xiao jin wrote:
+AD4- We find the memory use-after-free issue in +AF8AXw-blk+AF8-drain+AF8-queue()
+AD4- on the kernel 4.14. After read the latest kernel 4.18-rc6 we
+AD4- think it has the same problem.
+AD4-
+AD4- Memory is allocated for q-+AD4-fq in the blk+AF8-init+AF8-allocated+AF8-queue().
+AD4- If the elevator init function called with error return, it will
+AD4- run into the fail case to free the q-+AD4-fq.
+AD4-
+AD4- Then the +AF8AXw-blk+AF8-drain+AF8-queue() uses the same memory after the free
+AD4- of the q-+AD4-fq, it will lead to the unpredictable event.
+AD4-
+AD4- The patch is to set q-+AD4-fq as NULL in the fail case of
+AD4- blk+AF8-init+AF8-allocated+AF8-queue().

Please add +ACI-Fixes:+ACI- and +ACI-Cc: stable+ACI- tags to this patch.

Thanks,

Bart.

Next message: Stephen Rothwell: "linux-next: build failure after merge of the xen-tip tree"
Previous message: Amir Goldstein: "Re: [PATCH 03/16] vfs: don't evict uninitialized inode"
In reply to: Ming Lei: "Re: [PATCH] blk_init_allocated_queue() set q->fq as NULL in the fail case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]