From 2880d3bbc5ac81c9ea0f5c5ac060841d44200624 Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Fri, 26 Oct 2018 13:16:17 +0200
Subject: blkcg: CVE-2018-7480

blkcg: fix double free of new_blkg in blkcg_init_queue

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7bd2d0c746f1fac2fb7f2ee972767cbc8be60962

Change-Id: I20561bb531656d071b6aac2243f61bad9c948d5d
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 patches/cve/4.9.x.scc                              |  2 ++
 ...ouble-free-of-new_blkg-in-blkcg_init_queu.patch | 40 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 patches/cve/4.9.x.scc
 create mode 100644 patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
new file mode 100644
index 0000000..1702181
--- /dev/null
+++ b/patches/cve/4.9.x.scc
@@ -0,0 +1,2 @@
+#CVEs fixed in 4.9.89:
+patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
diff --git a/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
new file mode 100644
index 0000000..c5e51b3
--- /dev/null
+++ b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
@@ -0,0 +1,40 @@
+From 7bd2d0c746f1fac2fb7f2ee972767cbc8be60962 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Fri, 3 Feb 2017 17:19:07 +0800
+Subject: [PATCH] blkcg: fix double free of new_blkg in blkcg_init_queue
+
+commit 9b54d816e00425c3a517514e0d677bb3cec49258 upstream.
+
+If blkg_create fails, new_blkg passed as an argument will
+be freed by blkg_create, so there is no need to free it again.
+
+CVE: CVE-2018-7480
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=7bd2d0c746f1fac2fb7f2ee972767cbc8be60962]
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ block/blk-cgroup.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index b08ccbb9393a..6cd839c1f507 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1078,10 +1078,8 @@ int blkcg_init_queue(struct request_queue *q)
+ 	if (preloaded)
+ 		radix_tree_preload_end();
+ 
+-	if (IS_ERR(blkg)) {
+-		blkg_free(new_blkg);
++	if (IS_ERR(blkg))
+ 		return PTR_ERR(blkg);
+-	}
+ 
+ 	q->root_blkg = blkg;
+ 	q->root_rl.blkg = blkg;
+
+
-- 
cgit v1.2.3-54-g00ecf