[Devel] [PATCH RH8] ploop: Fix use-after-free in submit_rw_mapped()
Kirill Tkhai
ktkhai at virtuozzo.com
Tue Jul 27 14:00:49 MSK 2021
After ploop_call_rw_iter() is called, request may
complete and be freed asynchronous.
https://jira.sw.ru/browse/PSBM-132313
---
drivers/md/dm-ploop-map.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-ploop-map.c b/drivers/md/dm-ploop-map.c
index dc68161d928e..81360e5e66ba 100644
--- a/drivers/md/dm-ploop-map.c
+++ b/drivers/md/dm-ploop-map.c
@@ -1174,6 +1174,7 @@ static void data_rw_complete(struct pio *pio)
*/
static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
{
+ struct cgroup_subsys_state *css = pio->css;
unsigned int rw, nr_segs;
struct bio_vec *bvec;
struct iov_iter iter;
@@ -1195,10 +1196,11 @@ static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
file = ploop->deltas[pio->level].file;
- if (pio->css)
+ if (css)
kthread_associate_blkcg(pio->css);
+ /* Don't touch @pio after that */
ploop_call_rw_iter(file, pos, rw, &iter, pio);
- if (pio->css)
+ if (css)
kthread_associate_blkcg(NULL);
}
More information about the Devel
mailing list