On 02/19, Guenter Roeck wrote: > > On Tue, Feb 19, 2019 at 01:37:57PM +0100, Oleg Nesterov wrote: > > > > looks unrelated... > > > > Indeed... > > The underlying problem is in the error handling code of ace_setup(), > which calls put_disk() followed by blk_cleanup_queue(). put_disk() > calls disk_release(), which calls blk_put_queue(), which in turn > results in a call to blk_mq_hw_sysfs_release(). > > Added debug code, with your patch reverted, shows: > > ######### blk_mq_hw_sysfs_release hctx=cee4a800 > ... > ######### blk_mq_run_hw_queue hctx=cee4a800 > > blk_mq_hw_sysfs_release() calls kfree(htcx), so accessing it later is most > definitely not a good idea.
Thanks! > No idea why this only causes problems with your patch applied. Well... blk_put_queue() may trigger kobject_uevent() which does call_usermodehelper. So if one of the used-after-free datastructures was already re-allocated as linux_binprm, then with my patch it can look "more corrupted"... But honestly, I too have no idea. Thanks Guenter. Oleg.
