提交 14e71344 编写于 作者: M Maik Hampel 提交者: Linus Torvalds

md: raid10: fix use-after-free of bio

In case of read errors raid10d tries to print a nice error message,
unfortunately using data from an already put bio.
Signed-off-by: NMaik Hampel <m.hampel@gmx.de>
Acked-By: NNeilBrown <neilb@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 bfe0d686
...@@ -1557,7 +1557,6 @@ static void raid10d(mddev_t *mddev) ...@@ -1557,7 +1557,6 @@ static void raid10d(mddev_t *mddev)
bio = r10_bio->devs[r10_bio->read_slot].bio; bio = r10_bio->devs[r10_bio->read_slot].bio;
r10_bio->devs[r10_bio->read_slot].bio = r10_bio->devs[r10_bio->read_slot].bio =
mddev->ro ? IO_BLOCKED : NULL; mddev->ro ? IO_BLOCKED : NULL;
bio_put(bio);
mirror = read_balance(conf, r10_bio); mirror = read_balance(conf, r10_bio);
if (mirror == -1) { if (mirror == -1) {
printk(KERN_ALERT "raid10: %s: unrecoverable I/O" printk(KERN_ALERT "raid10: %s: unrecoverable I/O"
...@@ -1565,8 +1564,10 @@ static void raid10d(mddev_t *mddev) ...@@ -1565,8 +1564,10 @@ static void raid10d(mddev_t *mddev)
bdevname(bio->bi_bdev,b), bdevname(bio->bi_bdev,b),
(unsigned long long)r10_bio->sector); (unsigned long long)r10_bio->sector);
raid_end_bio_io(r10_bio); raid_end_bio_io(r10_bio);
bio_put(bio);
} else { } else {
const int do_sync = bio_sync(r10_bio->master_bio); const int do_sync = bio_sync(r10_bio->master_bio);
bio_put(bio);
rdev = conf->mirrors[mirror].rdev; rdev = conf->mirrors[mirror].rdev;
if (printk_ratelimit()) if (printk_ratelimit())
printk(KERN_ERR "raid10: %s: redirecting sector %llu to" printk(KERN_ERR "raid10: %s: redirecting sector %llu to"
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册