From: Jens Axboe Date: Sat, 23 Oct 2010 18:40:26 +0000 (+0200) Subject: block: fix use-after-free bug in blk throttle code X-Git-Tag: firefly_0821_release~7613^2~3669^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7ad58c028652753814054f4e3ac58f925e7343f4;p=firefly-linux-kernel-4.4.55.git block: fix use-after-free bug in blk throttle code blk_throtl_exit() frees the throttle data hanging off the queue in blk_cleanup_queue(), but blk_put_queue() will indirectly dereference this data when calling blk_sync_queue() which in turns calls throtl_shutdown_timer_wq(). Fix this by moving the freeing of the throttle data to when the queue is truly being released, and post the call to blk_sync_queue(). Reported-by: Ingo Molnar Tested-by: Ingo Molnar Signed-off-by: Jens Axboe --- diff --git a/block/blk-core.c b/block/blk-core.c index 45141469e89e..51efd835d4cf 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -462,8 +462,6 @@ void blk_cleanup_queue(struct request_queue *q) if (q->elevator) elevator_exit(q->elevator); - blk_throtl_exit(q); - blk_put_queue(q); } EXPORT_SYMBOL(blk_cleanup_queue); diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index da8a8a40cd4c..013457f47fdc 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -471,6 +471,8 @@ static void blk_release_queue(struct kobject *kobj) blk_sync_queue(q); + blk_throtl_exit(q); + if (rl->rq_pool) mempool_destroy(rl->rq_pool);