Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc8c3892 authored by Yan, Zheng's avatar Yan, Zheng Committed by Ilya Dryomov
Browse files

ceph: fix use-after-free bug in ceph_direct_read_write() 



ceph_aio_complete() can free the ceph_aio_request struct before
the code exits the while loop.

Signed-off-by: default avatarYan, Zheng <zyan@redhat.com>
parent 774a6a11

fs/ceph/file.c

+5 −2
Original line number Diff line number Diff line
@@ -985,6 +985,8 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, 
	}



	if (aio_req) {

		LIST_HEAD(osd_reqs);



		if (aio_req->num_reqs == 0) {

			kfree(aio_req);

			return ret;
@@ -993,8 +995,9 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter, 
		ceph_get_cap_refs(ci, write ? CEPH_CAP_FILE_WR :

					      CEPH_CAP_FILE_RD);



		while (!list_empty(&aio_req->osd_reqs)) {

			req = list_first_entry(&aio_req->osd_reqs,

		list_splice(&aio_req->osd_reqs, &osd_reqs);

		while (!list_empty(&osd_reqs)) {

			req = list_first_entry(&osd_reqs,

					       struct ceph_osd_request,

					       r_unsafe_item);

			list_del_init(&req->r_unsafe_item);