Commit a6c4727f authored by Aran Dalton's avatar Aran Dalton Committed by Treehugger Robot
Browse files

UPSTREAM: loop: Fix use-after-free issues 



    do_req_filebacked() calls blk_mq_complete_request() synchronously or
    asynchronously when using asynchronous I/O unless memory allocation fails.
    Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
    'rq' after do_req_filebacked() finished unless we are sure that the request
    has not yet been completed. This patch fixes the following kernel crash:

    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
    Call trace:
     css_put.42938+0x1c/0x1ac
     loop_process_work+0xc8c/0xfd4
     loop_rootcg_workfn+0x24/0x34
     process_one_work+0x244/0x558
     worker_thread+0x400/0x8fc
     kthread+0x16c/0x1e0
     ret_from_fork+0x10/0x20

    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Ming Lei <ming.lei@redhat.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Dan Schatzberg <schatzberg.dan@gmail.com>
    Fixes: c74d40e8 ("loop: charge i/o to mem and blk cg")
    Fixes: bc07c10a ("block: loop: support DIO & AIO")
    Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
    Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
    Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org


    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>

Bug: 274539241
(cherry picked from commit 9b0cb770)
Signed-off-by: default avatarliuyu <liuyu@allwinnertech.com>
Signed-off-by: default avatarAran Dalton <arda@allwinnertech.com>
Change-Id: I33b1e1fdc722a6fa87bc830531f3cf565fc83248
parent 24c1fcb7
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment