Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10ee57c2 authored Nov 24, 2020 by Pradeep P V K

block: Fix use-after-free while iterating over requests



During request completion and if there are no more references,
update the free request with NULL. This could avoid accessing
the already free request from other contexts while iterating
over the requests.

Change-Id: If3593d8397f510821e1d2ca89f5e0af9d19d57e1
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>

parent 58329ca1

block/blk-mq.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -497,6 +497,7 @@ static void __blk_mq_free_request(struct request *rq)
		const int sched_tag = rq->internal_tag;

		blk_pm_mark_last_busy(rq);
		hctx->tags->rqs[rq->tag] = NULL;
		rq->mq_hctx = NULL;
		if (rq->tag != -1)
		blk_mq_put_tag(hctx, hctx->tags, ctx, rq->tag);

block/blk-mq.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -209,6 +209,7 @@ static inline bool blk_mq_get_dispatch_budget(struct blk_mq_hw_ctx *hctx)
		static inline void __blk_mq_put_driver_tag(struct blk_mq_hw_ctx *hctx,
		struct request *rq)
		{
		hctx->tags->rqs[rq->tag] = NULL;
		blk_mq_put_tag(hctx, hctx->tags, rq->mq_ctx, rq->tag);
		rq->tag = -1;

		@@ -222,7 +223,6 @@ static inline void blk_mq_put_driver_tag(struct request *rq)
		{
		if (rq->tag == -1 \|\| rq->internal_tag == -1)
		return;

		__blk_mq_put_driver_tag(rq->mq_hctx, rq);
		}