summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJens Axboe <axboe@fb.com>2017-02-24 21:19:32 +0100
committerJens Axboe <axboe@fb.com>2017-02-24 21:19:32 +0100
commit61febef40bfe8ab68259d8545257686e8a0d91d1 (patch)
tree94d52c7e6d62b1f7381fc615c8964e0751e7ca08
parentblk-mq-sched: separate mark hctx and queue restart operations (diff)
downloadlinux-61febef40bfe8ab68259d8545257686e8a0d91d1.tar.xz
linux-61febef40bfe8ab68259d8545257686e8a0d91d1.zip
dm-rq: don't dereference request payload after ending request
Bart reported a case where dm would crash with use-after-free poison. This is due to dm_softirq_done() accessing memory associated with a request after calling end_request on it. This is most visible on !blk-mq, since we free the memory immediately for that case. Reported-by: Bart Van Assche <bart.vanassche@sandisk.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: eb8db831be80 ("dm: always defer request allocation to the owner of the request_queue") Signed-off-by: Jens Axboe <axboe@fb.com>
-rw-r--r--drivers/md/dm-rq.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c
index 67d76f21fecd..28955b94d2b2 100644
--- a/drivers/md/dm-rq.c
+++ b/drivers/md/dm-rq.c
@@ -328,13 +328,15 @@ static void dm_softirq_done(struct request *rq)
int rw;
if (!clone) {
- rq_end_stats(tio->md, rq);
+ struct mapped_device *md = tio->md;
+
+ rq_end_stats(md, rq);
rw = rq_data_dir(rq);
if (!rq->q->mq_ops)
blk_end_request_all(rq, tio->error);
else
blk_mq_end_request(rq, tio->error);
- rq_completed(tio->md, rw, false);
+ rq_completed(md, rw, false);
return;
}