diff options
author | Mike Krinkin <krinkin.m.u@gmail.com> | 2015-07-19 08:53:17 +0200 |
---|---|---|
committer | Jens Axboe <axboe@fb.com> | 2015-07-22 21:30:20 +0200 |
commit | 21974061cfb3c4b0b1a83447fb5e7cdcd06e56dc (patch) | |
tree | 558b1e88e86088c9500ffecb7d873c9dc0898c7d /drivers/block | |
parent | Revert "fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()" (diff) | |
download | linux-21974061cfb3c4b0b1a83447fb5e7cdcd06e56dc.tar.xz linux-21974061cfb3c4b0b1a83447fb5e7cdcd06e56dc.zip |
null_blk: fix use-after-free problem
end_cmd finishes request associated with nullb_cmd struct, so we
should save pointer to request_queue in a local variable before
calling end_cmd.
The problem was causes general protection fault with slab poisoning
enabled.
Fixes: 8b70f45e2eb2 ("null_blk: restart request processing on completion handler")
Tested-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers/block')
-rw-r--r-- | drivers/block/null_blk.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index 69de41a87b74..3177b245d2bd 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c @@ -240,19 +240,19 @@ static enum hrtimer_restart null_cmd_timer_expired(struct hrtimer *timer) while ((entry = llist_del_all(&cq->list)) != NULL) { entry = llist_reverse_order(entry); do { + struct request_queue *q = NULL; + cmd = container_of(entry, struct nullb_cmd, ll_list); entry = entry->next; + if (cmd->rq) + q = cmd->rq->q; end_cmd(cmd); - if (cmd->rq) { - struct request_queue *q = cmd->rq->q; - - if (!q->mq_ops && blk_queue_stopped(q)) { - spin_lock(q->queue_lock); - if (blk_queue_stopped(q)) - blk_start_queue(q); - spin_unlock(q->queue_lock); - } + if (q && !q->mq_ops && blk_queue_stopped(q)) { + spin_lock(q->queue_lock); + if (blk_queue_stopped(q)) + blk_start_queue(q); + spin_unlock(q->queue_lock); } } while (entry); } |