projects / linux-2.6-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 1: b561ea5)
Merge tag 'md-6.9-20240408' of https://git.kernel.org/pub/scm/linux/kernel/git/song...
authorJens Axboe <axboe@kernel.dk>
Tue, 9 Apr 2024 03:49:27 +0000 (21:49 -0600)
committerJens Axboe <axboe@kernel.dk>
Tue, 9 Apr 2024 03:49:27 +0000 (21:49 -0600)
Pull MD fix from Song:

"This change, by Yu Kuai, fixes a UAF in a corner case."

* tag 'md-6.9-20240408' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md:
  raid1: fix use-after-free for original bio in raid1_write_request()

drivers/md/raid1.c patch | blob | blame | history

diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index be8ac24f50b6ad651fd107f9af9a448bb1f7780a..7b8a71ca66dde0f4f6f3c2728107cb48cfcaa706 100644 (file)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1558,7 +1558,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio,
                for (j = 0; j < i; j++)
                        if (r1_bio->bios[j])
                                rdev_dec_pending(conf->mirrors[j].rdev, mddev);
-               free_r1bio(r1_bio);
+               mempool_free(r1_bio, &conf->r1bio_pool);
                allow_barrier(conf, bio->bi_iter.bi_sector);
 
                if (bio->bi_opf & REQ_NOWAIT) {
Linux 6.x block layer and io_uring tree(s)