Commit cd38b7d5 authored by Jens Axboe's avatar Jens Axboe Committed by Ben Hutchings

nbd: fix use-after-free of rq/bio in the xmit path

commit 429a787b upstream.

For writes, we can get a completion in while we're still iterating
the request and bio chain. If that happens, we're reading freed
memory and we can crash.

Break out after the last segment and avoid having the iterator
read freed memory.
Reviewed-by: default avatarJosef Bacik <jbacik@fb.com>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 91bb15ef
...@@ -242,6 +242,7 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req) ...@@ -242,6 +242,7 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req)
int result, flags; int result, flags;
struct nbd_request request; struct nbd_request request;
unsigned long size = blk_rq_bytes(req); unsigned long size = blk_rq_bytes(req);
struct bio *bio;
memset(&request, 0, sizeof(request)); memset(&request, 0, sizeof(request));
request.magic = htonl(NBD_REQUEST_MAGIC); request.magic = htonl(NBD_REQUEST_MAGIC);
...@@ -266,16 +267,20 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req) ...@@ -266,16 +267,20 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req)
goto error_out; goto error_out;
} }
if (nbd_cmd(req) == NBD_CMD_WRITE) { if (nbd_cmd(req) != NBD_CMD_WRITE)
struct req_iterator iter; return 0;
flags = 0;
bio = req->bio;
while (bio) {
struct bio *next = bio->bi_next;
struct bvec_iter iter;
struct bio_vec bvec; struct bio_vec bvec;
/*
* we are really probing at internals to determine bio_for_each_segment(bvec, bio, iter) {
* whether to set MSG_MORE or not... bool is_last = !next && bio_iter_last(bvec, iter);
*/
rq_for_each_segment(bvec, req, iter) { if (is_last)
flags = 0;
if (!rq_iter_last(bvec, iter))
flags = MSG_MORE; flags = MSG_MORE;
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n", dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
nbd->disk->disk_name, req, bvec.bv_len); nbd->disk->disk_name, req, bvec.bv_len);
...@@ -286,7 +291,16 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req) ...@@ -286,7 +291,16 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req)
result); result);
goto error_out; goto error_out;
} }
/*
* The completion might already have come in,
* so break for the last one instead of letting
* the iterator do it. This prevents use-after-free
* of the bio.
*/
if (is_last)
break;
} }
bio = next;
} }
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment