dm-rq: don't dereference request payload after ending request
Bart reported a case where dm would crash with use-after-free
poison. This is due to dm_softirq_done() accessing memory
associated with a request after calling end_request on it.
This is most visible on !blk-mq, since we free the memory
immediately for that case.
Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: eb8db831be
("dm: always defer request allocation to the owner of the request_queue")
Signed-off-by: Jens Axboe <axboe@fb.com>
This commit is contained in:
parent
d38d351555
commit
61febef40b
|
@ -328,13 +328,15 @@ static void dm_softirq_done(struct request *rq)
|
||||||
int rw;
|
int rw;
|
||||||
|
|
||||||
if (!clone) {
|
if (!clone) {
|
||||||
rq_end_stats(tio->md, rq);
|
struct mapped_device *md = tio->md;
|
||||||
|
|
||||||
|
rq_end_stats(md, rq);
|
||||||
rw = rq_data_dir(rq);
|
rw = rq_data_dir(rq);
|
||||||
if (!rq->q->mq_ops)
|
if (!rq->q->mq_ops)
|
||||||
blk_end_request_all(rq, tio->error);
|
blk_end_request_all(rq, tio->error);
|
||||||
else
|
else
|
||||||
blk_mq_end_request(rq, tio->error);
|
blk_mq_end_request(rq, tio->error);
|
||||||
rq_completed(tio->md, rw, false);
|
rq_completed(md, rw, false);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue