diff options
| author | Adrian Hunter <adrian.hunter@intel.com> | 2016-08-25 23:11:43 +0300 |
|---|---|---|
| committer | Jens Axboe <axboe@fb.com> | 2016-08-25 23:11:43 +0300 |
| commit | 869c554808ccf7ddd25be5317073b88ceddb8507 (patch) | |
| tree | ed7f5a2112a7d00dbfa02415585bc7d1991fe824 /drivers/mmc/card/block.c | |
| parent | f2791e7eadf437633f30faa51b30878cf15650be (diff) | |
| download | linux-869c554808ccf7ddd25be5317073b88ceddb8507.tar.xz | |
mmc: fix use-after-free of struct request
We call mmc_req_is_special() after having processed a request, but
it could be freed after that. Check that ahead of time, and use
the cached value.
Reported-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
Fixes: c2df40dfb8c0 ("drivers: use req op accessor")
Signed-off-by: Jens Axboe <axboe@fb.com>
Diffstat (limited to 'drivers/mmc/card/block.c')
| -rw-r--r-- | drivers/mmc/card/block.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c index 82503e6f04b3..2206d4477dbb 100644 --- a/drivers/mmc/card/block.c +++ b/drivers/mmc/card/block.c @@ -2151,6 +2151,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) struct mmc_card *card = md->queue.card; struct mmc_host *host = card->host; unsigned long flags; + bool req_is_special = mmc_req_is_special(req); if (req && !mq->mqrq_prev->req) /* claim host only for the first request */ @@ -2191,8 +2192,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) } out: - if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) || - mmc_req_is_special(req)) + if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) || req_is_special) /* * Release host when there are no more requests * and after special request(discard, flush) is done. |