git.baikalelectronics.ru Git - kernel.git/commit

author	Bart Van Assche <bvanassche@acm.org>
	Tue, 14 Mar 2023 18:21:54 +0000 (11:21 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 22 Mar 2023 12:33:46 +0000 (13:33 +0100)
commit	37aa1d2f43ad2fba53a73e133609d608d79d8763
tree	05a49f90c0ee07b95d133a60452062ecf56d0f77	tree \| snapshot
parent	b97591d78d5ec1413a74531542c937d3ea0c55c8	commit \| diff

loop: Fix use-after-free issues

[ Upstream commit 8ce6a534e25266c9fbfcb0a9bbcf2a23a9c341ac ]

do_req_filebacked() calls blk_mq_complete_request() synchronously or
asynchronously when using asynchronous I/O unless memory allocation fails.
Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
'rq' after do_req_filebacked() finished unless we are sure that the request
has not yet been completed. This patch fixes the following kernel crash:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
Call trace:
css_put.42938+0x1c/0x1ac
loop_process_work+0xc8c/0xfd4
loop_rootcg_workfn+0x24/0x34
process_one_work+0x244/0x558
worker_thread+0x400/0x8fc
kthread+0x16c/0x1e0
ret_from_fork+0x10/0x20

Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Dan Schatzberg <schatzberg.dan@gmail.com>
Fixes: 0b002ff9dcd7 ("loop: charge i/o to mem and blk cg")
Fixes: 1a2fd1fc2a5b ("block: loop: support DIO & AIO")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>