Commit 3795bb0f authored by NeilBrown's avatar NeilBrown Committed by Linus Torvalds

[PATCH] md: fix a use-after-free bug in raid1

Who would submit code with a FIXME like that in it !!!!
Signed-off-by: default avatarNeil Brown <neilb@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 0de502aa
...@@ -320,7 +320,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int ...@@ -320,7 +320,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
* this branch is our 'one mirror IO has finished' event handler: * this branch is our 'one mirror IO has finished' event handler:
*/ */
r1_bio->bios[mirror] = NULL; r1_bio->bios[mirror] = NULL;
bio_put(bio);
if (!uptodate) { if (!uptodate) {
md_error(r1_bio->mddev, conf->mirrors[mirror].rdev); md_error(r1_bio->mddev, conf->mirrors[mirror].rdev);
/* an I/O failed, we can't clear the bitmap */ /* an I/O failed, we can't clear the bitmap */
...@@ -377,7 +376,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int ...@@ -377,7 +376,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
} }
if (test_bit(R1BIO_BehindIO, &r1_bio->state)) { if (test_bit(R1BIO_BehindIO, &r1_bio->state)) {
/* free extra copy of the data pages */ /* free extra copy of the data pages */
/* FIXME bio has been freed!!! */
int i = bio->bi_vcnt; int i = bio->bi_vcnt;
while (i--) while (i--)
__free_page(bio->bi_io_vec[i].bv_page); __free_page(bio->bi_io_vec[i].bv_page);
...@@ -391,6 +389,9 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int ...@@ -391,6 +389,9 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
raid_end_bio_io(r1_bio); raid_end_bio_io(r1_bio);
} }
if (r1_bio->bios[mirror]==NULL)
bio_put(bio);
rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev); rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment