4.11-stable patches

added patches:
	xen-blkback-don-t-free-be-structure-too-early.patch

diff --git a/queue-4.11/series b/queue-4.11/series
index 329afca6ebf0b1bb0a9b610850a4fc6a2cfe70cf..4577d94273dffec01bc626af5faeb2e925182739 100644 (file)
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -51,3 +51,4 @@ dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch
 x86-mm-fix-boot-crash-caused-by-incorrect-loop-count-calculation-in-sync_global_pgds.patch
 pinctrl-amd-use-regular-interrupt-instead-of-chained.patch
 mm-vmalloc.c-huge-vmap-fail-gracefully-on-unexpected-huge-vmap-mappings.patch
+xen-blkback-don-t-free-be-structure-too-early.patch

diff --git a/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch b/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch
new file mode 100644 (file)
index 0000000..b845c1c
--- /dev/null
+++ b/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch
@@ -0,0 +1,51 @@
+From 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 18 May 2017 17:28:48 +0200
+Subject: xen/blkback: don't free be structure too early
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 upstream.
+
+The be structure must not be freed when freeing the blkif structure
+isn't done. Otherwise a use-after-free of be when unmapping the ring
+used for communicating with the frontend will occur in case of a
+late call of xenblk_disconnect() (e.g. due to an I/O still active
+when trying to disconnect).
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Steven Haigh <netwiz@crc.id.au>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/xenbus.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -315,8 +315,10 @@ static int xen_blkif_disconnect(struct x
+ static void xen_blkif_free(struct xen_blkif *blkif)
+ {
+ 
+-      xen_blkif_disconnect(blkif);
++      WARN_ON(xen_blkif_disconnect(blkif));
+       xen_vbd_free(&blkif->vbd);
++      kfree(blkif->be->mode);
++      kfree(blkif->be);
+ 
+       /* Make sure everything is drained before shutting down */
+       kmem_cache_free(xen_blkif_cachep, blkif);
+@@ -511,8 +513,6 @@ static int xen_blkbk_remove(struct xenbu
+ 
+       /* Put the reference we set in xen_blkif_alloc(). */
+       xen_blkif_put(be->blkif);
+-      kfree(be->mode);
+-      kfree(be);
+       return 0;
+ }
+