Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 869c5548 authored Aug 25, 2016 by Adrian Hunter Committed by Jens Axboe Aug 25, 2016

mmc: fix use-after-free of struct request



We call mmc_req_is_special() after having processed a request, but
it could be freed after that. Check that ahead of time, and use
the cached value.

Reported-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Fixes: c2df40df ("drivers: use req op accessor")

Signed-off-by: Jens Axboe <axboe@fb.com>

parent f2791e7e

drivers/mmc/card/block.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2151,6 +2151,7 @@ static int mmc_blk_issue_rq(struct mmc_queue mq, struct request req)
		struct mmc_card *card = md->queue.card;
		struct mmc_host *host = card->host;
		unsigned long flags;
		bool req_is_special = mmc_req_is_special(req);

		if (req && !mq->mqrq_prev->req)
		/* claim host only for the first request */
		@@ -2191,8 +2192,7 @@ static int mmc_blk_issue_rq(struct mmc_queue mq, struct request req)
		}

		out:
		if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) \|\|
		mmc_req_is_special(req))
		if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) \|\| req_is_special)
		/*
		* Release host when there are no more requests
		* and after special request(discard, flush) is done.

drivers/mmc/card/queue.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -65,6 +65,8 @@ static int mmc_queue_thread(void *d)
		spin_unlock_irq(q->queue_lock);

		if (req \|\| mq->mqrq_prev->req) {
		bool req_is_special = mmc_req_is_special(req);

		set_current_state(TASK_RUNNING);
		mq->issue_fn(mq, req);
		cond_resched();
		@@ -80,7 +82,7 @@ static int mmc_queue_thread(void *d)
		* has been finished. Do not assign it to previous
		* request.
		*/
		if (mmc_req_is_special(req))
		if (req_is_special)
		mq->mqrq_cur->req = NULL;

		mq->mqrq_prev->brq.mrq.data = NULL;