Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3430323imm; Sun, 29 Jul 2018 19:03:37 -0700 (PDT) X-Google-Smtp-Source: AAOMgpflJpoU2djQcjCpzODgDDRMUm1LjMTDGDSIV8DLzDWYhVx091LiDj5YfNNR2zigVVJHqDE5 X-Received: by 2002:a63:d011:: with SMTP id z17-v6mr14254050pgf.272.1532916217449; Sun, 29 Jul 2018 19:03:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532916217; cv=none; d=google.com; s=arc-20160816; b=Geqs+Fi+Bl3bRnKQX4I0cTrFp01qgOxaPkdMS13rko0LZhg+MYsZphT8RZhEq57Crx vXmB3lNyAZFDSi2SBKqMyDNIrMnOQxodIhwtfps4mmhknczSu0cIUEQnXlRtOk+KUr7+ 3L+nCX4mTScDSmED/Wt6fsxosJrJaMg2mTSN3updEUXvzLb1D1Yl2XgyGdSmZyFSxiqU ZbLx4NuKQq4ibldYQthEXWsgRL0byu0omXFgVjZmszNiePXvHmQxr+WmkgTVUmvgKECW UckikvcLCHluXkLk2WXdHUEueWuZNINwIv+2Uyl5PsTvsjUpZDucFn56lMLFiiscNW/i 4muA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=uKsJkAGFovzH0+/MDlPybtU3IClBiZY+C32NMRC1mnw=; b=FU9+KYxhPG3VrwiXN+tMRcdbLavAv/xNXIow0jWL0fcEpQkCI9lrqUL6qCI/tg+cD5 u5VIDqejXc5VjM8yYBtGzsuUMBweiopp+ID4frALaf5v3eb1YiizfjXlW9AXEqlrbG5D C9SsTr7igABCX0x9kfrNbBhRfAuL8i2ooxHL7qAmDtjUaLHhfX9gGz8whIElNuZkiKBS PH1e+bM36f6nRuPjSHOMMqNrf2a1ZsIw84vPi3cKTA0R+U1AN/HsafpL36nOFm6UM8Rj sVr4hK2twsbpge3EYn6g+wc/syQZvxdY/QJvKh4oVuQhF8QbZpu07l4eUQExAp21TEPt yevg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 66-v6si9864407pge.159.2018.07.29.19.03.23; Sun, 29 Jul 2018 19:03:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729057AbeG3DeQ (ORCPT + 99 others); Sun, 29 Jul 2018 23:34:16 -0400 Received: from mga12.intel.com ([192.55.52.136]:14606 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728641AbeG3DeQ (ORCPT ); Sun, 29 Jul 2018 23:34:16 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Jul 2018 19:01:38 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,421,1526367600"; d="scan'208";a="78873846" Received: from unknown (HELO xiaojin.sh.intel.com) ([10.239.154.226]) by orsmga002.jf.intel.com with ESMTP; 29 Jul 2018 19:01:28 -0700 From: xiao jin To: axboe@kernel.dk, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Cc: yanmin.zhang@intel.com, jin.xiao@intel.com Subject: [PATCH] blk_init_allocated_queue() set q->fq as NULL in the fail case Date: Mon, 30 Jul 2018 10:03:17 +0800 Message-Id: <1532916197-14950-1-git-send-email-jin.xiao@intel.com> X-Mailer: git-send-email 1.7.9.5 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We find the memory use-after-free issue in __blk_drain_queue() on the kernel 4.14. After read the latest kernel 4.18-rc6 we think it has the same problem. Memory is allocated for q->fq in the blk_init_allocated_queue(). If the elevator init function called with error return, it will run into the fail case to free the q->fq. Then the __blk_drain_queue() uses the same memory after the free of the q->fq, it will lead to the unpredictable event. The patch is to set q->fq as NULL in the fail case of blk_init_allocated_queue(). Signed-off-by: xiao jin --- block/blk-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/blk-core.c b/block/blk-core.c index b888175..52635e2 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -1072,6 +1072,7 @@ int blk_init_allocated_queue(struct request_queue *q) q->exit_rq_fn(q, q->fq->flush_rq); out_free_flush_queue: blk_free_flush_queue(q->fq); + q->fq = NULL; return -ENOMEM; } EXPORT_SYMBOL(blk_init_allocated_queue); -- 1.7.9.5