diff options
author | Jens Axboe <jaxboe@fusionio.com> | 2010-10-23 14:40:26 -0400 |
---|---|---|
committer | Jens Axboe <jaxboe@fusionio.com> | 2010-10-23 14:40:26 -0400 |
commit | 7ad58c028652753814054f4e3ac58f925e7343f4 (patch) | |
tree | 2e3bc1c5e3c98078b970483cd49a49d7c1ae0dcf | |
parent | 7f3883962870dd28b5f2322ac44a9d03640ef448 (diff) |
block: fix use-after-free bug in blk throttle code
blk_throtl_exit() frees the throttle data hanging off the queue
in blk_cleanup_queue(), but blk_put_queue() will indirectly
dereference this data when calling blk_sync_queue() which in
turns calls throtl_shutdown_timer_wq().
Fix this by moving the freeing of the throttle data to when
the queue is truly being released, and post the call to
blk_sync_queue().
Reported-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
-rw-r--r-- | block/blk-core.c | 2 | ||||
-rw-r--r-- | block/blk-sysfs.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/block/blk-core.c b/block/blk-core.c index 45141469e89e..51efd835d4cf 100644 --- a/block/blk-core.c +++ b/block/blk-core.c | |||
@@ -462,8 +462,6 @@ void blk_cleanup_queue(struct request_queue *q) | |||
462 | if (q->elevator) | 462 | if (q->elevator) |
463 | elevator_exit(q->elevator); | 463 | elevator_exit(q->elevator); |
464 | 464 | ||
465 | blk_throtl_exit(q); | ||
466 | |||
467 | blk_put_queue(q); | 465 | blk_put_queue(q); |
468 | } | 466 | } |
469 | EXPORT_SYMBOL(blk_cleanup_queue); | 467 | EXPORT_SYMBOL(blk_cleanup_queue); |
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index da8a8a40cd4c..013457f47fdc 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c | |||
@@ -471,6 +471,8 @@ static void blk_release_queue(struct kobject *kobj) | |||
471 | 471 | ||
472 | blk_sync_queue(q); | 472 | blk_sync_queue(q); |
473 | 473 | ||
474 | blk_throtl_exit(q); | ||
475 | |||
474 | if (rl->rq_pool) | 476 | if (rl->rq_pool) |
475 | mempool_destroy(rl->rq_pool); | 477 | mempool_destroy(rl->rq_pool); |
476 | 478 | ||