diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 09:03:07 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 11:14:02 -0400 |
commit | 6116861edf2be2615467c0f189153f95badf7e58 (patch) | |
tree | 4cde55ba426e107151683f8b4356c2a1d9d97b84 /block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch | |
parent | 59915d41e79894c3ddd27a6a83e74b3991b23451 (diff) | |
download | kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.gz kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.xz kernel-6116861edf2be2615467c0f189153f95badf7e58.zip |
Linux v4.6
- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)
- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
Diffstat (limited to 'block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch')
-rw-r--r-- | block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch b/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch deleted file mode 100644 index be5eddebc..000000000 --- a/block-blkg_destroy_all-should-clear-q-root_blkg-and-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a08748fb2221ef03d54071e5ddfcc1b0cee6961c Mon Sep 17 00:00:00 2001 -From: Tejun Heo <tj@kernel.org> -Date: Sat, 5 Sep 2015 15:47:36 -0400 -Subject: [PATCH] block: blkg_destroy_all() should clear q->root_blkg and - ->root_rl.blkg - -While making the root blkg unconditional, ec13b1d6f0a0 ("blkcg: always -create the blkcg_gq for the root blkcg") removed the part which clears -q->root_blkg and ->root_rl.blkg during q exit. This leaves the two -pointers dangling after blkg_destroy_all(). blk-throttle exit path -performs blkg traversals and dereferences ->root_blkg and can lead to -the following oops. - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000558 - IP: [<ffffffff81389746>] __blkg_lookup+0x26/0x70 - ... - task: ffff88001b4e2580 ti: ffff88001ac0c000 task.ti: ffff88001ac0c000 - RIP: 0010:[<ffffffff81389746>] [<ffffffff81389746>] __blkg_lookup+0x26/0x70 - ... - Call Trace: - [<ffffffff8138d14a>] blk_throtl_drain+0x5a/0x110 - [<ffffffff8138a108>] blkcg_drain_queue+0x18/0x20 - [<ffffffff81369a70>] __blk_drain_queue+0xc0/0x170 - [<ffffffff8136a101>] blk_queue_bypass_start+0x61/0x80 - [<ffffffff81388c59>] blkcg_deactivate_policy+0x39/0x100 - [<ffffffff8138d328>] blk_throtl_exit+0x38/0x50 - [<ffffffff8138a14e>] blkcg_exit_queue+0x3e/0x50 - [<ffffffff8137016e>] blk_release_queue+0x1e/0xc0 - ... - -While the bug is a straigh-forward use-after-free bug, it is tricky to -reproduce because blkg release is RCU protected and the rest of exit -path usually finishes before RCU grace period. - -This patch fixes the bug by updating blkg_destro_all() to clear -q->root_blkg and ->root_rl.blkg. - -Signed-off-by: Tejun Heo <tj@kernel.org> -Reported-by: "Richard W.M. Jones" <rjones@redhat.com> -Reported-by: Josh Boyer <jwboyer@fedoraproject.org> -Link: http://lkml.kernel.org/g/CA+5PVA5rzQ0s4723n5rHBcxQa9t0cW8BPPBekr_9aMRoWt2aYg@mail.gmail.com -Fixes: ec13b1d6f0a0 ("blkcg: always create the blkcg_gq for the root blkcg") -Cc: stable@vger.kernel.org # v4.2+ ---- - block/blk-cgroup.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index d6283b3f5db5..9cc48d1d7abb 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q) - blkg_destroy(blkg); - spin_unlock(&blkcg->lock); - } -+ -+ q->root_blkg = NULL; -+ q->root_rl.blkg = NULL; - } - - /* --- -2.4.3 - |