diff options
author | Mike Krinkin <krinkin.m.u@gmail.com> | 2015-12-15 12:56:40 +0300 |
---|---|---|
committer | Jens Axboe <axboe@fb.com> | 2015-12-22 10:42:48 -0700 |
commit | e8271201462710dbbaa0448b768428606724ca90 (patch) | |
tree | 260d20e53c36bf3ec9eec08b65af06012bd237c0 /drivers/block/null_blk.c | |
parent | 23688bf4f830a89866fd0ed3501e342a7360fe4f (diff) |
null_blk: fix use-after-free error
blk_end_request_all may free request, so we need to save
request_queue pointer before blk_end_request_all call.
The problem was introduced in commit cf8ecc5a8455266f8d51
("null_blk: guarantee device restart in all irq modes")
and causes general protection fault with slab poisoning
enabled.
Fixes: cf8ecc5a8455266f8d51 ("null_blk: guarantee device
restart in all irq modes")
Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
Reviewed-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers/block/null_blk.c')
-rw-r--r-- | drivers/block/null_blk.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index 8162475d96b5..a428e4ef71fd 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c @@ -219,6 +219,9 @@ static void end_cmd(struct nullb_cmd *cmd) { struct request_queue *q = NULL; + if (cmd->rq) + q = cmd->rq->q; + switch (queue_mode) { case NULL_Q_MQ: blk_mq_end_request(cmd->rq, 0); @@ -232,9 +235,6 @@ static void end_cmd(struct nullb_cmd *cmd) goto free_cmd; } - if (cmd->rq) - q = cmd->rq->q; - /* Restart queue if needed, as we are freeing a tag */ if (q && !q->mq_ops && blk_queue_stopped(q)) { unsigned long flags; |