Re: [PATCH] block/loop: fix use after feee

From: Shaohua Li <shli@kernel.org>
Date: 2017-08-30 22:13:13

On Wed, Aug 30, 2017 at 02:51:05PM -0700, Shaohua Li wrote:

lo_rw_aio->call_read_iter->
1	aops->direct_IO
2	iov_iter_revert
lo_rw_aio_complete could happen between 1 and 2, the bio and bvec could
be freed before 2, which accesses bvec.

please ignore this one, I accidentally sent it out. The correct fix is in
another patch.

quoted hunk ↗ jump to hunk

This conflicts with my direcio performance improvement patches, which
I'll resend.

Signed-off-by: Shaohua Li <redacted>
---
 drivers/block/loop.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index ef83349..153ab3c 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c

@@ -490,6 +490,7 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
 	bvec = __bvec_iter_bvec(bio->bi_io_vec, bio->bi_iter);
 	iov_iter_bvec(&iter, ITER_BVEC | rw, bvec,
 		      bio_segments(bio), blk_rq_bytes(cmd->rq));
+	bio_inc_remaining(bio);
 	/*
 	 * This bio may be started from the middle of the 'bvec'
 	 * because of bio splitting, so offset from the bvec must

@@ -507,6 +508,7 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
 	else
 		ret = call_read_iter(file, &cmd->iocb, &iter);
 
+	bio_endio(bio);
 	if (ret != -EIOCBQUEUED)
 		cmd->iocb.ki_complete(&cmd->iocb, ret, 0);
 	return 0;

-- 
2.9.5

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help