diff options
| author | Bart Van Assche <[email protected]> | 2023-03-14 11:21:54 -0700 |
|---|---|---|
| committer | Jens Axboe <[email protected]> | 2023-03-14 19:20:48 -0600 |
| commit | 9b0cb770f5d7b1ff40bea7ca385438ee94570eec (patch) | |
| tree | 3c6a907cc5d5dde18a91df6dc36e4b7106a4f33c /lib/test_fortify/write_overflow-strncpy-src.c | |
| parent | 34e0a279a993debaff03158fc2fbf6a00c093643 (diff) | |
loop: Fix use-after-free issues
do_req_filebacked() calls blk_mq_complete_request() synchronously or
asynchronously when using asynchronous I/O unless memory allocation fails.
Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
'rq' after do_req_filebacked() finished unless we are sure that the request
has not yet been completed. This patch fixes the following kernel crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
Call trace:
css_put.42938+0x1c/0x1ac
loop_process_work+0xc8c/0xfd4
loop_rootcg_workfn+0x24/0x34
process_one_work+0x244/0x558
worker_thread+0x400/0x8fc
kthread+0x16c/0x1e0
ret_from_fork+0x10/0x20
Cc: Christoph Hellwig <[email protected]>
Cc: Ming Lei <[email protected]>
Cc: Jan Kara <[email protected]>
Cc: Johannes Weiner <[email protected]>
Cc: Dan Schatzberg <[email protected]>
Fixes: c74d40e8b5e2 ("loop: charge i/o to mem and blk cg")
Fixes: bc07c10a3603 ("block: loop: support DIO & AIO")
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Ming Lei <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe <[email protected]>
Diffstat (limited to 'lib/test_fortify/write_overflow-strncpy-src.c')
0 files changed, 0 insertions, 0 deletions