diff options
| author | Ming Lei <tom.leiming@gmail.com> | 2014-05-01 03:12:36 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@fb.com> | 2014-05-01 11:17:41 -0400 |
| commit | fc27691f3537a0df087214322467b642d1f6dedb (patch) | |
| tree | 9b2060931a6776ec3e2bffce0adcba04643d0ec3 /drivers/block/null_blk.c | |
| parent | ec4a340789be16831ae96be5f7552238a7a6e903 (diff) | |
block: null_blk: fix use after free
entry(cmd->ll_list) may belong to new request once end_cmd()
returns, so fix the bug with the patch.
Without the change, it is easy to observe oops when
doing null_blk(timer) test.
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers/block/null_blk.c')
| -rw-r--r-- | drivers/block/null_blk.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index 8e7e3a0b0d24..e932398588aa 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c | |||
| @@ -203,8 +203,8 @@ static enum hrtimer_restart null_cmd_timer_expired(struct hrtimer *timer) | |||
| 203 | entry = llist_reverse_order(entry); | 203 | entry = llist_reverse_order(entry); |
| 204 | do { | 204 | do { |
| 205 | cmd = container_of(entry, struct nullb_cmd, ll_list); | 205 | cmd = container_of(entry, struct nullb_cmd, ll_list); |
| 206 | end_cmd(cmd); | ||
| 207 | entry = entry->next; | 206 | entry = entry->next; |
| 207 | end_cmd(cmd); | ||
| 208 | } while (entry); | 208 | } while (entry); |
| 209 | } | 209 | } |
| 210 | 210 | ||