block: fix use after free in __blkdev_direct_IO

We can't dereference the dio structure after submitting the last bio for this request, as I/O completion might have happened before the code is run. Introduce a local is_sync variable instead. Fixes: 542ff7bf ("block: new direct I/O implementation") Signed-off-by: Christoph Hellwig <hch@lst.de> Reported-by: Matias Bjørling <m@bjorling.me> Tested-by: Matias Bjørling <m@bjorling.me> Signed-off-by: Jens Axboe <axboe@fb.com>
author: Christoph Hellwig <hch@lst.de> 2017-01-24 08:50:19 -0500
committer: Jens Axboe <axboe@fb.com> 2017-01-24 09:55:53 -0500
commit: 690e5325b8c7d5db05fc569c0f7b888bb4248272 (patch)
tree: b9c39916a4397b1eb628e07e4fc6aff91219e393
parent: a4685d2f58e2230d4e27fb2ee581d7ea35e5d046 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 5db5d1340d69..3c47614a4b32 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -331,7 +331,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
        struct blk_plug plug;
        struct blkdev_dio *dio;
        struct bio *bio;
-        bool is_read = (iov_iter_rw(iter) == READ);
+        bool is_read = (iov_iter_rw(iter) == READ), is_sync;
        loff_t pos = iocb->ki_pos;
        blk_qc_t qc = BLK_QC_T_NONE;
        int ret;
@@ -344,7 +344,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
        bio_get(bio); /* extra ref for the completion handler */
        dio = container_of(bio, struct blkdev_dio, bio);
-        dio->is_sync = is_sync_kiocb(iocb);
+        dio->is_sync = is_sync = is_sync_kiocb(iocb);
        if (dio->is_sync)
                dio->waiter = current;
        else
@@ -398,7 +398,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
        }
        blk_finish_plug(&plug);
-        if (!dio->is_sync)
+        if (!is_sync)
                return -EIOCBQUEUED;
        for (;;) {
author	Christoph Hellwig <hch@lst.de>	2017-01-24 08:50:19 -0500
committer	Jens Axboe <axboe@fb.com>	2017-01-24 09:55:53 -0500
commit	690e5325b8c7d5db05fc569c0f7b888bb4248272 (patch)
tree	b9c39916a4397b1eb628e07e4fc6aff91219e393
parent	a4685d2f58e2230d4e27fb2ee581d7ea35e5d046 (diff)

diff --git a/fs/block_dev.c b/fs/block_dev.c index 5db5d1340d69..3c47614a4b32 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c
@@ -331,7 +331,7 @@ __blkdev_direct_IO(struct kiocb iocb, struct iov_iter iter, int nr_pages)
331	struct blk_plug plug;	331	struct blk_plug plug;
332	struct blkdev_dio *dio;	332	struct blkdev_dio *dio;
333	struct bio *bio;	333	struct bio *bio;
334	bool is_read = (iov_iter_rw(iter) == READ);	334	bool is_read = (iov_iter_rw(iter) == READ), is_sync;
335	loff_t pos = iocb->ki_pos;	335	loff_t pos = iocb->ki_pos;
336	blk_qc_t qc = BLK_QC_T_NONE;	336	blk_qc_t qc = BLK_QC_T_NONE;
337	int ret;	337	int ret;
@@ -344,7 +344,7 @@ __blkdev_direct_IO(struct kiocb iocb, struct iov_iter iter, int nr_pages)
344	bio_get(bio); /* extra ref for the completion handler */	344	bio_get(bio); /* extra ref for the completion handler */
345		345
346	dio = container_of(bio, struct blkdev_dio, bio);	346	dio = container_of(bio, struct blkdev_dio, bio);
347	dio->is_sync = is_sync_kiocb(iocb);	347	dio->is_sync = is_sync = is_sync_kiocb(iocb);
348	if (dio->is_sync)	348	if (dio->is_sync)
349	dio->waiter = current;	349	dio->waiter = current;
350	else	350	else
@@ -398,7 +398,7 @@ __blkdev_direct_IO(struct kiocb iocb, struct iov_iter iter, int nr_pages)
398	}	398	}
399	blk_finish_plug(&plug);	399	blk_finish_plug(&plug);
400		400
401	if (!dio->is_sync)	401	if (!is_sync)
402	return -EIOCBQUEUED;	402	return -EIOCBQUEUED;
403		403
404	for (;;) {	404	for (;;) {