Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752766AbbGSGxz (ORCPT <rfc822;w@1wt.eu>);
	Sun, 19 Jul 2015 02:53:55 -0400
Received: from mail-lb0-f175.google.com ([209.85.217.175]:33047 "EHLO
	mail-lb0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752218AbbGSGxy (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 19 Jul 2015 02:53:54 -0400
From: Mike Krinkin <krinkin.m.u@gmail.com>
To: axboe@fb.com, akinobu.mita@gmail.com
Cc: linux-kernel@vger.kernel.org, krinkin.m.u@gmail.com
Subject: [PATCH] null_blk: fix use-after-free problem
Date: Sun, 19 Jul 2015 09:53:17 +0300
Message-Id: <1437288797-9131-1-git-send-email-krinkin.m.u@gmail.com>
X-Mailer: git-send-email 1.9.1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1756
Lines: 57

end_cmd finishes request associated with nullb_cmd struct, so we
should save pointer to request_queue in a local variable before
calling end_cmd.

The problem was causes general protection fault with slab poisoning
enabled.

Fixes: 8b70f45e2eb2 ("null_blk: restart request processing on
       completion handler")
Tested-by: Akinobu Mita <akinobu.mita@gmail.com>

Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
---
 drivers/block/null_blk.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c
index 69de41a..3177b24 100644
--- a/drivers/block/null_blk.c
+++ b/drivers/block/null_blk.c
@@ -240,19 +240,19 @@ static enum hrtimer_restart null_cmd_timer_expired(struct hrtimer *timer)
 	while ((entry = llist_del_all(&cq->list)) != NULL) {
 		entry = llist_reverse_order(entry);
 		do {
+			struct request_queue *q = NULL;
+
 			cmd = container_of(entry, struct nullb_cmd, ll_list);
 			entry = entry->next;
+			if (cmd->rq)
+				q = cmd->rq->q;
 			end_cmd(cmd);
 
-			if (cmd->rq) {
-				struct request_queue *q = cmd->rq->q;
-
-				if (!q->mq_ops && blk_queue_stopped(q)) {
-					spin_lock(q->queue_lock);
-					if (blk_queue_stopped(q))
-						blk_start_queue(q);
-					spin_unlock(q->queue_lock);
-				}
+			if (q && !q->mq_ops && blk_queue_stopped(q)) {
+				spin_lock(q->queue_lock);
+				if (blk_queue_stopped(q))
+					blk_start_queue(q);
+				spin_unlock(q->queue_lock);
 			}
 		} while (entry);
 	}
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/