Re: [PATCH] drivers:md:fix a potential use-after-free bug

From: Guoqing Jiang
Date: Tue Aug 17 2021 - 03:48:01 EST

Next message: Feng zhou: "[PATCH] ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup"
Previous message: Sam Shih: "[v2,08/12] dt-bindings: rng: mediatek: add mt7986 to mtk rng binding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/14/21 12:16 AM, Song Liu wrote:

On Thu, Aug 12, 2021 at 8:46 PM lwt105<3061522931@xxxxxx> wrote:

In line 2867, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2869 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.

It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.

Signed-off-by: lwt105<3061522931@xxxxxx>

The fix looks reasonable.

I am not sure this is needed unless there is real calltrace to prove it. Because raid5_release_stripe
doesn't mean it will release the sh's memory, pls see the comment before clear_batch_ready in
handle_stripe, and the path handle_stripe -> handle_stripe_clean_event -> break_stripe_batch_list.

Thanks,
Guoqing

Next message: Feng zhou: "[PATCH] ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup"
Previous message: Sam Shih: "[v2,08/12] dt-bindings: rng: mediatek: add mt7986 to mtk rng binding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]