e6ea77dd5a
commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream.
We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.
Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.
Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.
The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().
Fixes: commit
|
||
|---|---|---|
| .. | ||
| partitions | ||
| bio-integrity.c | ||
| bio.c | ||
| blk-cgroup.c | ||
| blk-core.c | ||
| blk-exec.c | ||
| blk-flush.c | ||
| blk-integrity.c | ||
| blk-ioc.c | ||
| blk-iopoll.c | ||
| blk-lib.c | ||
| blk-map.c | ||
| blk-merge.c | ||
| blk-mq-cpu.c | ||
| blk-mq-cpumap.c | ||
| blk-mq-sysfs.c | ||
| blk-mq-tag.c | ||
| blk-mq-tag.h | ||
| blk-mq.c | ||
| blk-mq.h | ||
| blk-settings.c | ||
| blk-softirq.c | ||
| blk-sysfs.c | ||
| blk-tag.c | ||
| blk-throttle.c | ||
| blk-timeout.c | ||
| blk.h | ||
| bounce.c | ||
| bsg-lib.c | ||
| bsg.c | ||
| cfq-iosched.c | ||
| cmdline-parser.c | ||
| compat_ioctl.c | ||
| deadline-iosched.c | ||
| elevator.c | ||
| genhd.c | ||
| ioctl.c | ||
| ioprio.c | ||
| Kconfig | ||
| Kconfig.iosched | ||
| Makefile | ||
| noop-iosched.c | ||
| partition-generic.c | ||
| scsi_ioctl.c | ||
| t10-pi.c | ||