[GIT-TESTING] [PATCH] possible use-after-free of bio

Wed, 13 Apr 2005 01:30:18 -0700 

tree 946b78d06c3ce55e5628f1e5ad3c5e1fc726f5d4
parent 2aec79c56d01805ebd56171aafa419958d26b1fd
author Jens Axboe <[EMAIL PROTECTED]> Tue Apr 12 08:26:08 2005
committer Linus Torvalds <[EMAIL PROTECTED]> Tue Apr 12 08:26:08 2005

[PATCH] possible use-after-free of bio

There is a possibility that a bio will be accessed after it has been freed
on SCSI.  It happens if you submit a bio with BIO_SYNC marked and the
auto-unplugging kicks the request_fn, SCSI re-enables interrupts in-between
so if the request completes between the add_request() in __make_request()
and the bio_sync() call, we could be looking at a dead bio.  It's a slim
race, but it has been triggered in the Real World.

So assign bio_sync() to a local variable instead.

Signed-off-by: Jens Axboe <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>

 ll_rw_blk.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

Index: drivers/block/ll_rw_blk.c
===================================================================
--- d2986d713f4f08c1d74770d24551e174ccfdb4ae/drivers/block/ll_rw_blk.c  
(mode:100644 sha1:46f0fa72ae591c9f6560df34a6353b3cbabf3545)
+++ 946b78d06c3ce55e5628f1e5ad3c5e1fc726f5d4/drivers/block/ll_rw_blk.c  
(mode:100644 sha1:5c7eb8b7eb62b2e252438b24d9cfe168d5962ca5)
@@ -2559,7 +2559,7 @@
 static int __make_request(request_queue_t *q, struct bio *bio)
 {
        struct request *req, *freereq = NULL;
-       int el_ret, rw, nr_sectors, cur_nr_sectors, barrier, err;
+       int el_ret, rw, nr_sectors, cur_nr_sectors, barrier, err, sync;
        sector_t sector;
 
        sector = bio->bi_sector;
@@ -2567,6 +2567,7 @@
        cur_nr_sectors = bio_cur_sectors(bio);
 
        rw = bio_data_dir(bio);
+       sync = bio_sync(bio);
 
        /*
         * low level driver can indicate that it wants pages above a
@@ -2698,7 +2699,7 @@
 out:
        if (freereq)
                __blk_put_request(q, freereq);
-       if (bio_sync(bio))
+       if (sync)
                __generic_unplug_device(q);
 
        spin_unlock_irq(q->queue_lock);
-
To unsubscribe from this list: send the line "unsubscribe bk-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to