md: raid10: fix use-after-free of bio
authorMaik Hampel <m.hampel@gmx.de>
Tue, 31 Jul 2007 07:37:57 +0000 (00:37 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Tue, 31 Jul 2007 22:39:38 +0000 (15:39 -0700)
In case of read errors raid10d tries to print a nice error message,
unfortunately using data from an already put bio.

Signed-off-by: Maik Hampel <m.hampel@gmx.de>
Acked-By: NeilBrown <neilb@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/md/raid10.c

index f730a144baf12339fceba31c04e0f54819a7000d..0c97bf4f686e85158df81c1cfbe54945789226a0 100644 (file)
@@ -1557,7 +1557,6 @@ static void raid10d(mddev_t *mddev)
                        bio = r10_bio->devs[r10_bio->read_slot].bio;
                        r10_bio->devs[r10_bio->read_slot].bio =
                                mddev->ro ? IO_BLOCKED : NULL;
-                       bio_put(bio);
                        mirror = read_balance(conf, r10_bio);
                        if (mirror == -1) {
                                printk(KERN_ALERT "raid10: %s: unrecoverable I/O"
@@ -1565,8 +1564,10 @@ static void raid10d(mddev_t *mddev)
                                       bdevname(bio->bi_bdev,b),
                                       (unsigned long long)r10_bio->sector);
                                raid_end_bio_io(r10_bio);
+                               bio_put(bio);
                        } else {
                                const int do_sync = bio_sync(r10_bio->master_bio);
+                               bio_put(bio);
                                rdev = conf->mirrors[mirror].rdev;
                                if (printk_ratelimit())
                                        printk(KERN_ERR "raid10: %s: redirecting sector %llu to"