Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
block: fix use after free in __blkdev_direct_IO
We can't dereference the dio structure after submitting the last bio for
this request, as I/O completion might have happened before the code is
run. Introduce a local is_sync variable instead.
Fixes: 542ff7bf ("block: new direct I/O implementation")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Matias Bjørling <m@bjorling.me>
Tested-by: Matias Bjørling <m@bjorling.me>
Signed-off-by: Jens Axboe <axboe@fb.com>
authored by Christoph Hellwig and committed by Jens Axboe 690e5325 a4685d2f
+3
-3
fs/block_dev.c
+3
-3
fs/block_dev.c
···
331
331
struct blk_plug plug;
332
332
struct blkdev_dio *dio;
333
333
struct bio *bio;
334
-
bool is_read = (iov_iter_rw(iter) == READ);
334
+
bool is_read = (iov_iter_rw(iter) == READ), is_sync;
335
335
loff_t pos = iocb->ki_pos;
336
336
blk_qc_t qc = BLK_QC_T_NONE;
337
337
int ret;
···
344
344
bio_get(bio); /* extra ref for the completion handler */
345
345
346
346
dio = container_of(bio, struct blkdev_dio, bio);
347
-
dio->is_sync = is_sync_kiocb(iocb);
347
+
dio->is_sync = is_sync = is_sync_kiocb(iocb);
348
348
if (dio->is_sync)
349
349
dio->waiter = current;
350
350
else
···
398
398
}
399
399
blk_finish_plug(&plug);
400
400
401
-
if (!dio->is_sync)
401
+
if (!is_sync)
402
402
return -EIOCBQUEUED;
403
403
404
404
for (;;) {