[Devel] [PATCH RHEL8 COMMIT] ploop: Fix use-after-free in submit_rw_mapped()
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Jul 27 15:28:03 MSK 2021
The commit is pushed to "branch-rh8-4.18.0-305.3.1.vz8.7.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-305.3.1.el8
------>
commit 965517e9319f9196b1b12f8a9a4ef1a29c1620a1
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date: Tue Jul 27 15:24:29 2021 +0300
ploop: Fix use-after-free in submit_rw_mapped()
After ploop_call_rw_iter() is called, request may
complete and be freed asynchronous.
https://jira.sw.ru/browse/PSBM-132313
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
drivers/md/dm-ploop-map.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-ploop-map.c b/drivers/md/dm-ploop-map.c
index dc68161d928e..81360e5e66ba 100644
--- a/drivers/md/dm-ploop-map.c
+++ b/drivers/md/dm-ploop-map.c
@@ -1174,6 +1174,7 @@ static void data_rw_complete(struct pio *pio)
*/
static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
{
+ struct cgroup_subsys_state *css = pio->css;
unsigned int rw, nr_segs;
struct bio_vec *bvec;
struct iov_iter iter;
@@ -1195,10 +1196,11 @@ static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
file = ploop->deltas[pio->level].file;
- if (pio->css)
+ if (css)
kthread_associate_blkcg(pio->css);
+ /* Don't touch @pio after that */
ploop_call_rw_iter(file, pos, rw, &iter, pio);
- if (pio->css)
+ if (css)
kthread_associate_blkcg(NULL);
}
More information about the Devel
mailing list