From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753261AbbJOOsE (ORCPT <rfc822;w@1wt.eu>);
	Thu, 15 Oct 2015 10:48:04 -0400
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:45938 "EHLO
	mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751860AbbJOOsB (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 15 Oct 2015 10:48:01 -0400
Subject: Re: [PATCH] blk-mq: fix use-after-free in blk_mq_free_tag_set()
To: Junichi Nomura <j-nomura@ce.jp.nec.com>, Jens Axboe <axboe@kernel.dk>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <20151014050213.GA10302@xzibit.linux.bs1.fc.nec.co.jp>
CC: Keith Busch <keith.busch@intel.com>
From: Jens Axboe <axboe@fb.com>
Message-ID: <561FBC6A.4040909@fb.com>
Date: Thu, 15 Oct 2015 08:47:06 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151014050213.GA10302@xzibit.linux.bs1.fc.nec.co.jp>
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [192.168.54.13]
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2015-10-15_09:,,
 signatures=0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/13/2015 11:02 PM, Junichi Nomura wrote:
> tags is freed in blk_mq_free_rq_map() and should not be used after that.
> The problem doesn't manifest if CONFIG_CPUMASK_OFFSTACK is false because
> free_cpumask_var() is nop.
> 
> tags->cpumask is allocated in blk_mq_init_tags() so it's natural to
> free cpumask in its counter part, blk_mq_free_tags().

Thanks, applied. tags->cpumask should some day die a horrible death.

-- 
Jens Axboe