The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.61
------>
commit e8c0b1739dc75ec8c5ce0d052ee7680e3554244a
Author: Kirill Tkhai <[email protected]>
Date: Tue Jul 27 15:24:29 2021 +0300
ploop: Fix use-after-free in submit_rw_mapped()
After ploop_call_rw_iter() is called, request may
complete and be freed asynchronous.
https://jira.sw.ru/browse/PSBM-132313
Signed-off-by: Kirill Tkhai <[email protected]>
---
drivers/md/dm-ploop-map.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-ploop-map.c b/drivers/md/dm-ploop-map.c
index dc68161d928e..81360e5e66ba 100644
--- a/drivers/md/dm-ploop-map.c
+++ b/drivers/md/dm-ploop-map.c
@@ -1174,6 +1174,7 @@ static void data_rw_complete(struct pio *pio)
*/
static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
{
+ struct cgroup_subsys_state *css = pio->css;
unsigned int rw, nr_segs;
struct bio_vec *bvec;
struct iov_iter iter;
@@ -1195,10 +1196,11 @@ static void submit_rw_mapped(struct ploop *ploop,
struct pio *pio)
file = ploop->deltas[pio->level].file;
- if (pio->css)
+ if (css)
kthread_associate_blkcg(pio->css);
+ /* Don't touch @pio after that */
ploop_call_rw_iter(file, pos, rw, &iter, pio);
- if (pio->css)
+ if (css)
kthread_associate_blkcg(NULL);
}
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
