Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6971507ybh; Thu, 8 Aug 2019 08:22:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqyG+M6h8nU8CTeVsLY9M36YnleS3ibx9qwx7itqU+GFX5J6iuXGS3I7cVkGoBaW7r2Mm+No X-Received: by 2002:a17:902:a514:: with SMTP id s20mr13538329plq.162.1565277750202; Thu, 08 Aug 2019 08:22:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565277750; cv=none; d=google.com; s=arc-20160816; b=y+zw1SQJxQd48hSGnY1CJAIW9sGFSUFaqCGpQQ5I2IgcJTekqgM8+K0+eHrnLFVQ34 QMd/rDdkHpoazyF+rbhpBa18rXhLcNn4DtGTBAG7eSrQp07rBmjCBseLGerF82sln5Zl TnXRgGQeRDvejTFeTh4MxPl/vZ1tNGgeDPBl2Z9tmw/XuzNu5+nWzCDUQBQBfxqHOQ66 5CsH32TxUQCnHZ+q3a3YMOSrB8xc/jKN6YuLjAARLhndThCebbJMoJDrQ4WClvM4eAuY R3PVVCfxJ6wI6VbfG3d8Xt/HbI26zdq9H2xsucug0887zPnqw/Nz2HW9d5bR1CZedWTp BKRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=62wPsGMynwfej/OoKErjBbr2fFO4UlH7moOGmVEgcPY=; b=b+0RkFXY5dwpON7VgUMBDn1beVe2rzOzZNlSWRu1sJY5LfFX9bXV+y2QVrlBDQizFE weIfWTU7PyBAepbHEMAmJI5wuFHTZj4q4ZInPnHQEUfl/euxqwwxrOMEAEy67TkjCDDO NBHC2rRZyLjQ7nzWqrC3LSfysIhPHWiih1QaYf5IM4TwXWpKZCLvCGS2Zf6BZHuI4jIl UdGJAa7nGJiP7Rbdl1esgN/JDbv2Auklkssp/sthy9GOeagfvz4GpnqUZrCRs1L0gYZ3 H6EqZIizfI5bto8oe64E8aQEpHlr24NBEeQnFWbUnGFGkLCGYD60/YmB12soFnjWLj7G w9zQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=QWLuNsnE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11si29007858pgq.282.2019.08.08.08.22.13; Thu, 08 Aug 2019 08:22:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=QWLuNsnE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390058AbfHHPVT (ORCPT + 99 others); Thu, 8 Aug 2019 11:21:19 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:40511 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728380AbfHHPVS (ORCPT ); Thu, 8 Aug 2019 11:21:18 -0400 Received: by mail-ot1-f68.google.com with SMTP id l15so62834626oth.7 for ; Thu, 08 Aug 2019 08:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=62wPsGMynwfej/OoKErjBbr2fFO4UlH7moOGmVEgcPY=; b=QWLuNsnE+aKeazvULF2iiss/MAzTxMI+IOnAKBvxpWmbKVHzAkXrbqU8MztcyHrsiO jwrWHhPavRYFK5SVLhhCMoMdICyjKxDtbox4bzwFiQ0nIs5e4NZGRqYCkdxpWRsDUmP3 I+uu/NadCvnKhBlaQWYnKt+TpQKb/8KbISU3dcuDRJrQKgM6Za/37sy4M6Y4/ma9CJzH ADGOcG0wVYpgqzLHNusWCg4Csc+rdplcWdM4JOBEElYeMpBtIpYO8LU9fhLYYZzZm6cY 6oSw1kpRjJp20WjnH17p/4+tl2yDx3AwkQ0BfVPHdOWkr1HljyIMB+T5BJ7JXfzsQBgW T5Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=62wPsGMynwfej/OoKErjBbr2fFO4UlH7moOGmVEgcPY=; b=T7vVgEebDKbvOebaVAGT56tNlX8mIMACnZYnKkpTrMuEPRPX3ZlILliGYtl7n3SQ8F w6Zs0QS1BlvfkELUx3Yn0b39nFIQ2R5JaspHIOoVjgLX2qexhNT8cnav29xIgMWFYeSi a6awdAy5jLlbrYAYubDu/PRBAabvmpjCxToKOrKXz/jl3kHqGLFfgTsoWg/8/Pd6ELhb uyuzZ5Bww2dfd0hpHmdNqRu/Hl3XDE5nfqYVJthPTD2As767JNLbSQFv2huzuqLiNI8y l9WVnjnSXsuBAzRVW+xZGFvRwy3Yai8oixXfp/fHBv7NyI8NYPIi345CyyrZvq5y/F9o 40+A== X-Gm-Message-State: APjAAAUeyN9p5rnlFgHi95FXFKOWrebN9JI2Vb5u57ES7bV0fstJuZ9B 5hO96cp8/bTxCM0oXbjEqRdlBIbJ0MvMYg== X-Received: by 2002:a05:6830:119:: with SMTP id i25mr14283189otp.288.1565277677096; Thu, 08 Aug 2019 08:21:17 -0700 (PDT) Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com. [209.85.210.41]) by smtp.gmail.com with ESMTPSA id k10sm31320872otn.58.2019.08.08.08.21.15 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 08 Aug 2019 08:21:16 -0700 (PDT) Received: by mail-ot1-f41.google.com with SMTP id z17so1630753otk.13 for ; Thu, 08 Aug 2019 08:21:15 -0700 (PDT) X-Received: by 2002:a9d:7248:: with SMTP id a8mr14036212otk.363.1565277675268; Thu, 08 Aug 2019 08:21:15 -0700 (PDT) MIME-Version: 1.0 References: <20190808022819.108337-1-balsini@android.com> <20190808090049.GC1265@kroah.com> In-Reply-To: <20190808090049.GC1265@kroah.com> From: Alessio Balsini Date: Thu, 8 Aug 2019 08:21:04 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 3.18.y 4.4.y 4.9.y] block: blk_init_allocated_queue() set q->fq as NULL in the fail case To: Greg KH Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, xiao jin , Ming Lei , Bart Van Assche , Jens Axboe Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Oops, thanks! On Thu, Aug 8, 2019 at 2:00 AM Greg KH wrote: > > On Thu, Aug 08, 2019 at 03:28:19AM +0100, Alessio Balsini wrote: > > From: xiao jin > > > > commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream. > > > > We find the memory use-after-free issue in __blk_drain_queue() > > on the kernel 4.14. After read the latest kernel 4.18-rc6 we > > think it has the same problem. > > > > Memory is allocated for q->fq in the blk_init_allocated_queue(). > > If the elevator init function called with error return, it will > > run into the fail case to free the q->fq. > > > > Then the __blk_drain_queue() uses the same memory after the free > > of the q->fq, it will lead to the unpredictable event. > > > > The patch is to set q->fq as NULL in the fail case of > > blk_init_allocated_queue(). > > > > Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery") > > Cc: > > Reviewed-by: Ming Lei > > Reviewed-by: Bart Van Assche > > Signed-off-by: xiao jin > > Signed-off-by: Jens Axboe > > Signed-off-by: Alessio Balsini > > --- > > block/blk-core.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/block/blk-core.c b/block/blk-core.c > > index 50d77c90070d..7662f97dded6 100644 > > --- a/block/blk-core.c > > +++ b/block/blk-core.c > > @@ -870,6 +870,7 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn, > > > > fail: > > blk_free_flush_queue(q->fq); > > + q->fq = NULL; > > return NULL; > > } > > EXPORT_SYMBOL(blk_init_allocated_queue); > > -- > > 2.22.0.770.g0f2c4a37fd-goog > > > > Guenter sent this backport a day before you did, so I took his version > and added your s-o-b to it. > > thanks, > > greg k-h