diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:16:17 +0200 |
|---|---|---|
| committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:16:17 +0200 |
| commit | 2880d3bbc5ac81c9ea0f5c5ac060841d44200624 (patch) | |
| tree | 7e3c76a20365bcb03477fe44c3d26974628ae525 | |
| parent | bbbaee9150a62c2965710ff2245b65da32f35eb5 (diff) | |
| download | enea-kernel-cache-2880d3bbc5ac81c9ea0f5c5ac060841d44200624.tar.gz | |
blkcg: CVE-2018-7480
blkcg: fix double free of new_blkg in blkcg_init_queue
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7bd2d0c746f1fac2fb7f2ee972767cbc8be60962
Change-Id: I20561bb531656d071b6aac2243f61bad9c948d5d
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.9.x.scc | 2 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | 40 |
2 files changed, 42 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc new file mode 100644 index 0000000..1702181 --- /dev/null +++ b/patches/cve/4.9.x.scc | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | #CVEs fixed in 4.9.89: | ||
| 2 | patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | ||
diff --git a/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch new file mode 100644 index 0000000..c5e51b3 --- /dev/null +++ b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 7bd2d0c746f1fac2fb7f2ee972767cbc8be60962 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hou Tao <houtao1@huawei.com> | ||
| 3 | Date: Fri, 3 Feb 2017 17:19:07 +0800 | ||
| 4 | Subject: [PATCH] blkcg: fix double free of new_blkg in blkcg_init_queue | ||
| 5 | |||
| 6 | commit 9b54d816e00425c3a517514e0d677bb3cec49258 upstream. | ||
| 7 | |||
| 8 | If blkg_create fails, new_blkg passed as an argument will | ||
| 9 | be freed by blkg_create, so there is no need to free it again. | ||
| 10 | |||
| 11 | CVE: CVE-2018-7480 | ||
| 12 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7bd2d0c746f1fac2fb7f2ee972767cbc8be60962] | ||
| 13 | |||
| 14 | Signed-off-by: Hou Tao <houtao1@huawei.com> | ||
| 15 | Signed-off-by: Jens Axboe <axboe@fb.com> | ||
| 16 | Cc: Guenter Roeck <linux@roeck-us.net> | ||
| 17 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 18 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 19 | --- | ||
| 20 | block/blk-cgroup.c | 4 +--- | ||
| 21 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c | ||
| 24 | index b08ccbb9393a..6cd839c1f507 100644 | ||
| 25 | --- a/block/blk-cgroup.c | ||
| 26 | +++ b/block/blk-cgroup.c | ||
| 27 | @@ -1078,10 +1078,8 @@ int blkcg_init_queue(struct request_queue *q) | ||
| 28 | if (preloaded) | ||
| 29 | radix_tree_preload_end(); | ||
| 30 | |||
| 31 | - if (IS_ERR(blkg)) { | ||
| 32 | - blkg_free(new_blkg); | ||
| 33 | + if (IS_ERR(blkg)) | ||
| 34 | return PTR_ERR(blkg); | ||
| 35 | - } | ||
| 36 | |||
| 37 | q->root_blkg = blkg; | ||
| 38 | q->root_rl.blkg = blkg; | ||
| 39 | |||
| 40 | |||