2 files changed, 40 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 51591c7..d1e56d9 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -5,3 +5,6 @@ patch CVE-2017-8824-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 #CVEs fixed in 4.9.88:
 patch CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
 patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
+
+#CVEs fixed in 4.9.89:
+patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
diff --git a/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
new file mode 100644
index 0000000..6da5d3a
--- /dev/null
+++ b/patches/cve/CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
@@ -0,0 +1,37 @@
+From 9b54d816e00425c3a517514e0d677bb3cec49258 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Fri, 3 Feb 2017 17:19:07 +0800
+Subject: [PATCH] blkcg: fix double free of new_blkg in blkcg_init_queue
+
+If blkg_create fails, new_blkg passed as an argument will
+be freed by blkg_create, so there is no need to free it again.
+
+CVE: CVE-2018-7480   
+Upstream-Status: Backport  
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ block/blk-cgroup.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index 37fe595..295e98c2 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1079,10 +1079,8 @@ int blkcg_init_queue(struct request_queue *q)
+        if (preloaded)
+                radix_tree_preload_end();
+ 
+-       if (IS_ERR(blkg)) {
+-               blkg_free(new_blkg);
++       if (IS_ERR(blkg))
+                return PTR_ERR(blkg);
+-       }
+ 
+        q->root_blkg = blkg;
+        q->root_rl.blkg = blkg;
+-- 
+2.7.4
+