diff options
author | Adrian Hunter <adrian.hunter@intel.com> | 2016-08-25 22:11:43 +0200 |
---|---|---|
committer | Jens Axboe <axboe@fb.com> | 2016-08-25 22:11:43 +0200 |
commit | 869c554808ccf7ddd25be5317073b88ceddb8507 (patch) | |
tree | ed7f5a2112a7d00dbfa02415585bc7d1991fe824 /drivers/mmc/card/queue.c | |
parent | Revert "floppy: refactor open() flags handling" (diff) | |
download | linux-869c554808ccf7ddd25be5317073b88ceddb8507.tar.xz linux-869c554808ccf7ddd25be5317073b88ceddb8507.zip |
mmc: fix use-after-free of struct request
We call mmc_req_is_special() after having processed a request, but
it could be freed after that. Check that ahead of time, and use
the cached value.
Reported-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Fixes: c2df40dfb8c0 ("drivers: use req op accessor")
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to '')
-rw-r--r-- | drivers/mmc/card/queue.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/mmc/card/queue.c b/drivers/mmc/card/queue.c index 29578e98603d..708057261b38 100644 --- a/drivers/mmc/card/queue.c +++ b/drivers/mmc/card/queue.c @@ -65,6 +65,8 @@ static int mmc_queue_thread(void *d) spin_unlock_irq(q->queue_lock); if (req || mq->mqrq_prev->req) { + bool req_is_special = mmc_req_is_special(req); + set_current_state(TASK_RUNNING); mq->issue_fn(mq, req); cond_resched(); @@ -80,7 +82,7 @@ static int mmc_queue_thread(void *d) * has been finished. Do not assign it to previous * request. */ - if (mmc_req_is_special(req)) + if (req_is_special) mq->mqrq_cur->req = NULL; mq->mqrq_prev->brq.mrq.data = NULL; |