diff options
| author | Jens Axboe | 2010-10-23 13:40:26 -0500 |
|---|---|---|
| committer | Jens Axboe | 2010-10-23 13:40:26 -0500 |
| commit | 7ad58c028652753814054f4e3ac58f925e7343f4 (patch) | |
| tree | 2e3bc1c5e3c98078b970483cd49a49d7c1ae0dcf /block/blk-sysfs.c | |
| parent | 7f3883962870dd28b5f2322ac44a9d03640ef448 (diff) | |
| download | kernel-common-7ad58c028652753814054f4e3ac58f925e7343f4.tar.gz kernel-common-7ad58c028652753814054f4e3ac58f925e7343f4.tar.xz kernel-common-7ad58c028652753814054f4e3ac58f925e7343f4.zip | |
block: fix use-after-free bug in blk throttle code
blk_throtl_exit() frees the throttle data hanging off the queue
in blk_cleanup_queue(), but blk_put_queue() will indirectly
dereference this data when calling blk_sync_queue() which in
turns calls throtl_shutdown_timer_wq().
Fix this by moving the freeing of the throttle data to when
the queue is truly being released, and post the call to
blk_sync_queue().
Reported-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Diffstat (limited to 'block/blk-sysfs.c')
| -rw-r--r-- | block/blk-sysfs.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index da8a8a40cd4..013457f47fd 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c | |||
| @@ -471,6 +471,8 @@ static void blk_release_queue(struct kobject *kobj) | |||
| 471 | 471 | ||
| 472 | blk_sync_queue(q); | 472 | blk_sync_queue(q); |
| 473 | 473 | ||
| 474 | blk_throtl_exit(q); | ||
| 475 | |||
| 474 | if (rl->rq_pool) | 476 | if (rl->rq_pool) |
| 475 | mempool_destroy(rl->rq_pool); | 477 | mempool_destroy(rl->rq_pool); |
| 476 | 478 | ||