On Mon, 2018-07-30 at 14:11 +-0800, xiao jin wrote: +AD4- We find the memory use-after-free issue in +AF8AXw-blk+AF8-drain+AF8-queue() +AD4- on the kernel 4.14. After read the latest kernel 4.18-rc6 we +AD4- think it has the same problem. +AD4- +AD4- Memory is allocated for q-+AD4-fq in the blk+AF8-init+AF8-allocated+AF8-queue(). +AD4- If the elevator init function called with error return, it will +AD4- run into the fail case to free the q-+AD4-fq. +AD4- +AD4- Then the +AF8AXw-blk+AF8-drain+AF8-queue() uses the same memory after the free +AD4- of the q-+AD4-fq, it will lead to the unpredictable event. +AD4- +AD4- The patch is to set q-+AD4-fq as NULL in the fail case of +AD4- blk+AF8-init+AF8-allocated+AF8-queue(). Reviewed-by: Bart Van Assche +ADw-bart.vanassche+AEA-wdc.com+AD4-
