On Mon, Aug 05, 2019 at 12:12:45PM -0700, Guenter Roeck wrote:
> From: xiao jin <jin.xiao@xxxxxxxxx>
>
> commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream
>
> We find the memory use-after-free issue in __blk_drain_queue()
> on the kernel 4.14. After read the latest kernel 4.18-rc6 we
> think it has the same problem.
>
> Memory is allocated for q->fq in the blk_init_allocated_queue().
> If the elevator init function called with error return, it will
> run into the fail case to free the q->fq.
>
> Then the __blk_drain_queue() uses the same memory after the free
> of the q->fq, it will lead to the unpredictable event.
>
> The patch is to set q->fq as NULL in the fail case of
> blk_init_allocated_queue().
>
> Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Reviewed-by: Ming Lei <ming.lei@xxxxxxxxxx>
> Reviewed-by: Bart Van Assche <bart.vanassche@xxxxxxx>
> Signed-off-by: xiao jin <jin.xiao@xxxxxxxxx>
> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
> [groeck: backport to v4.4.y/v4.9.y (context change)]
> Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
> ---
> This patch was not applied to v4.4.y and v4.9.y due to a context conflict.
> See https://lore.kernel.org/stable/1536310209129100@xxxxxxxxx/ and
> https://lore.kernel.org/stable/153631018011582@xxxxxxxxx/ for details.
> It was applied to v4.14.y and to v4.18.y.
>
> Please consider applying this backport. It is relevant because it fixes
> CVE-2018-20856.
Now queued up, thanks.
greg k-h
