From 3795bb0fc52fe2af2749f3ad2185cb9c90871ef8 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Mon, 12 Dec 2005 02:39:16 -0800 Subject: [PATCH] [PATCH] md: fix a use-after-free bug in raid1 Who would submit code with a FIXME like that in it !!!! Signed-off-by: Neil Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/md/raid1.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c index 3066c587b5..229d7b2042 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -320,7 +320,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int * this branch is our 'one mirror IO has finished' event handler: */ r1_bio->bios[mirror] = NULL; - bio_put(bio); if (!uptodate) { md_error(r1_bio->mddev, conf->mirrors[mirror].rdev); /* an I/O failed, we can't clear the bitmap */ @@ -377,7 +376,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int } if (test_bit(R1BIO_BehindIO, &r1_bio->state)) { /* free extra copy of the data pages */ -/* FIXME bio has been freed!!! */ int i = bio->bi_vcnt; while (i--) __free_page(bio->bi_io_vec[i].bv_page); @@ -391,6 +389,9 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int raid_end_bio_io(r1_bio); } + if (r1_bio->bios[mirror]==NULL) + bio_put(bio); + rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev); return 0; } -- 2.39.5