[Devel] [PATCH RHEL8 COMMIT] ploop: Fix use-after-free in submit_rw_mapped()

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jul 27 15:28:03 MSK 2021


The commit is pushed to "branch-rh8-4.18.0-305.3.1.vz8.7.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-305.3.1.el8
------>
commit 965517e9319f9196b1b12f8a9a4ef1a29c1620a1
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date:   Tue Jul 27 15:24:29 2021 +0300

    ploop: Fix use-after-free in submit_rw_mapped()
    
    After ploop_call_rw_iter() is called, request may
    complete and be freed asynchronous.
    
    https://jira.sw.ru/browse/PSBM-132313
    
    Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 drivers/md/dm-ploop-map.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/md/dm-ploop-map.c b/drivers/md/dm-ploop-map.c
index dc68161d928e..81360e5e66ba 100644
--- a/drivers/md/dm-ploop-map.c
+++ b/drivers/md/dm-ploop-map.c
@@ -1174,6 +1174,7 @@ static void data_rw_complete(struct pio *pio)
  */
 static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
 {
+	struct cgroup_subsys_state *css = pio->css;
 	unsigned int rw, nr_segs;
 	struct bio_vec *bvec;
 	struct iov_iter iter;
@@ -1195,10 +1196,11 @@ static void submit_rw_mapped(struct ploop *ploop, struct pio *pio)
 
 	file = ploop->deltas[pio->level].file;
 
-	if (pio->css)
+	if (css)
 		kthread_associate_blkcg(pio->css);
+	/* Don't touch @pio after that */
 	ploop_call_rw_iter(file, pos, rw, &iter, pio);
-	if (pio->css)
+	if (css)
 		kthread_associate_blkcg(NULL);
 
 }


More information about the Devel mailing list