* [PATCH] use after free bug in __blkdev_get
@ 2009-10-26 5:03 Neil Brown
2009-10-26 7:26 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Neil Brown @ 2009-10-26 5:03 UTC (permalink / raw)
To: Tejun Heo; +Cc: Jens Axboe, linux-kernel
commit 0762b8bde9729f10f8e6249809660ff2ec3ad735
(from 14 months ago) introduced a use-after-free bug which has just
recently started manifesting in my md testing.
I tried git bisect to find out what caused the bug to start
manifesting, and it could have been the recent change to
blk_unregister_queue (48c0d4d4c04) but the results were inconclusive.
This patch certainly fixes my symptoms and looks correct as the two
calls are now in the same order as elsewhere in that function.
Signed-off-by: NeilBrown <neilb@suse.de>
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 9cf4b92..8bed055 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1248,8 +1248,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9);
}
} else {
- put_disk(disk);
module_put(disk->fops->owner);
+ put_disk(disk);
disk = NULL;
if (bdev->bd_contains == bdev) {
if (bdev->bd_disk->fops->open) {
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] use after free bug in __blkdev_get
2009-10-26 5:03 [PATCH] use after free bug in __blkdev_get Neil Brown
@ 2009-10-26 7:26 ` Jens Axboe
2009-10-26 12:55 ` Tejun Heo
0 siblings, 1 reply; 3+ messages in thread
From: Jens Axboe @ 2009-10-26 7:26 UTC (permalink / raw)
To: Neil Brown; +Cc: Tejun Heo, linux-kernel
On Mon, Oct 26 2009, Neil Brown wrote:
>
>
> commit 0762b8bde9729f10f8e6249809660ff2ec3ad735
> (from 14 months ago) introduced a use-after-free bug which has just
> recently started manifesting in my md testing.
> I tried git bisect to find out what caused the bug to start
> manifesting, and it could have been the recent change to
> blk_unregister_queue (48c0d4d4c04) but the results were inconclusive.
>
> This patch certainly fixes my symptoms and looks correct as the two
> calls are now in the same order as elsewhere in that function.
>
> Signed-off-by: NeilBrown <neilb@suse.de>
>
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 9cf4b92..8bed055 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -1248,8 +1248,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
> bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9);
> }
> } else {
> - put_disk(disk);
> module_put(disk->fops->owner);
> + put_disk(disk);
> disk = NULL;
> if (bdev->bd_contains == bdev) {
> if (bdev->bd_disk->fops->open) {
Thanks Neil, good catch! Applied.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] use after free bug in __blkdev_get
2009-10-26 7:26 ` Jens Axboe
@ 2009-10-26 12:55 ` Tejun Heo
0 siblings, 0 replies; 3+ messages in thread
From: Tejun Heo @ 2009-10-26 12:55 UTC (permalink / raw)
To: Jens Axboe; +Cc: Neil Brown, linux-kernel
Jens Axboe wrote:
> On Mon, Oct 26 2009, Neil Brown wrote:
>>
>> commit 0762b8bde9729f10f8e6249809660ff2ec3ad735
>> (from 14 months ago) introduced a use-after-free bug which has just
>> recently started manifesting in my md testing.
>> I tried git bisect to find out what caused the bug to start
>> manifesting, and it could have been the recent change to
>> blk_unregister_queue (48c0d4d4c04) but the results were inconclusive.
>>
>> This patch certainly fixes my symptoms and looks correct as the two
>> calls are now in the same order as elsewhere in that function.
>>
>> Signed-off-by: NeilBrown <neilb@suse.de>
Oops, thanks for catching it.
Acked-by: Tejun Heo <tj@kernel.org>
--
tejun
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-10-26 12:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-26 5:03 [PATCH] use after free bug in __blkdev_get Neil Brown
2009-10-26 7:26 ` Jens Axboe
2009-10-26 12:55 ` Tejun Heo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox