lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[PATCH] md: fix a use-after-free bug in raid1

Browse Source 
Who would submit code with a FIXME like that in it !!!!

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
NeilBrown
2005-12-12 02:39:16 -08:00
committed by Linus Torvalds
parent 0de502aa44
commit 3795bb0fc5
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/md/raid1.c
View File

@@ -320,7 +320,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
* this branch is our 'one mirror IO has finished' event handler: * this branch is our 'one mirror IO has finished' event handler:
*/ */
r1_bio->bios[mirror] = NULL; r1_bio->bios[mirror] = NULL;
bio_put(bio);
if (!uptodate) { if (!uptodate) {
md_error(r1_bio->mddev, conf->mirrors[mirror].rdev); md_error(r1_bio->mddev, conf->mirrors[mirror].rdev);
/* an I/O failed, we can't clear the bitmap */ /* an I/O failed, we can't clear the bitmap */
@@ -377,7 +376,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
} }
if (test_bit(R1BIO_BehindIO, &r1_bio->state)) { if (test_bit(R1BIO_BehindIO, &r1_bio->state)) {
/* free extra copy of the data pages */ /* free extra copy of the data pages */
/* FIXME bio has been freed!!! */
int i = bio->bi_vcnt; int i = bio->bi_vcnt;
while (i--) while (i--)
__free_page(bio->bi_io_vec[i].bv_page); __free_page(bio->bi_io_vec[i].bv_page);
@@ -391,6 +389,9 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
raid_end_bio_io(r1_bio); raid_end_bio_io(r1_bio);
} }
if (r1_bio->bios[mirror]==NULL)
bio_put(bio);
rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev); rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev);
return 0; return 0;
} }