diff options
author | Ming Lei <tom.leiming@gmail.com> | 2014-05-01 11:12:36 +0400 |
---|---|---|
committer | Jens Axboe <axboe@fb.com> | 2014-05-01 19:17:41 +0400 |
commit | fc27691f3537a0df087214322467b642d1f6dedb (patch) | |
tree | 9b2060931a6776ec3e2bffce0adcba04643d0ec3 /drivers/block/null_blk.c | |
parent | ec4a340789be16831ae96be5f7552238a7a6e903 (diff) | |
download | linux-fc27691f3537a0df087214322467b642d1f6dedb.tar.xz |
block: null_blk: fix use after free
entry(cmd->ll_list) may belong to new request once end_cmd()
returns, so fix the bug with the patch.
Without the change, it is easy to observe oops when
doing null_blk(timer) test.
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers/block/null_blk.c')
-rw-r--r-- | drivers/block/null_blk.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index 8e7e3a0b0d24..e932398588aa 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c @@ -203,8 +203,8 @@ static enum hrtimer_restart null_cmd_timer_expired(struct hrtimer *timer) entry = llist_reverse_order(entry); do { cmd = container_of(entry, struct nullb_cmd, ll_list); - end_cmd(cmd); entry = entry->next; + end_cmd(cmd); } while (entry); } |