From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 09:13:27 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.60~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8744dbb9bdf7697b312c480e6a51599dcce70fb6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: xen-blkback-don-t-free-be-structure-too-early.patch --- diff --git a/queue-4.11/series b/queue-4.11/series index 329afca6ebf..4577d94273d 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -51,3 +51,4 @@ dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch x86-mm-fix-boot-crash-caused-by-incorrect-loop-count-calculation-in-sync_global_pgds.patch pinctrl-amd-use-regular-interrupt-instead-of-chained.patch mm-vmalloc.c-huge-vmap-fail-gracefully-on-unexpected-huge-vmap-mappings.patch +xen-blkback-don-t-free-be-structure-too-early.patch diff --git a/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch b/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch new file mode 100644 index 00000000000..b845c1cf3b9 --- /dev/null +++ b/queue-4.11/xen-blkback-don-t-free-be-structure-too-early.patch @@ -0,0 +1,51 @@ +From 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 18 May 2017 17:28:48 +0200 +Subject: xen/blkback: don't free be structure too early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +commit 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 upstream. + +The be structure must not be freed when freeing the blkif structure +isn't done. Otherwise a use-after-free of be when unmapping the ring +used for communicating with the frontend will occur in case of a +late call of xenblk_disconnect() (e.g. due to an I/O still active +when trying to disconnect). + +Signed-off-by: Juergen Gross +Tested-by: Steven Haigh +Acked-by: Roger Pau Monné +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -315,8 +315,10 @@ static int xen_blkif_disconnect(struct x + static void xen_blkif_free(struct xen_blkif *blkif) + { + +- xen_blkif_disconnect(blkif); ++ WARN_ON(xen_blkif_disconnect(blkif)); + xen_vbd_free(&blkif->vbd); ++ kfree(blkif->be->mode); ++ kfree(blkif->be); + + /* Make sure everything is drained before shutting down */ + kmem_cache_free(xen_blkif_cachep, blkif); +@@ -511,8 +513,6 @@ static int xen_blkbk_remove(struct xenbu + + /* Put the reference we set in xen_blkif_alloc(). */ + xen_blkif_put(be->blkif); +- kfree(be->mode); +- kfree(be); + return 0; + } +