[PATCH] md: fix a use-after-free bug in raid1

Who would submit code with a FIXME like that in it !!!!

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 3066c58..229d7b2 100644 (file)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -320,7 +320,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
                 * this branch is our 'one mirror IO has finished' event handler:
                 */
                r1_bio->bios[mirror] = NULL;
-               bio_put(bio);
                if (!uptodate) {
                        md_error(r1_bio->mddev, conf->mirrors[mirror].rdev);
                        /* an I/O failed, we can't clear the bitmap */
@@ -377,7 +376,6 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
                }
                if (test_bit(R1BIO_BehindIO, &r1_bio->state)) {
                        /* free extra copy of the data pages */
-/* FIXME bio has been freed!!! */
                        int i = bio->bi_vcnt;
                        while (i--)
                                __free_page(bio->bi_io_vec[i].bv_page);
@@ -391,6 +389,9 @@ static int raid1_end_write_request(struct bio *bio, unsigned int bytes_done, int
                raid_end_bio_io(r1_bio);
        }
 
+       if (r1_bio->bios[mirror]==NULL)
+               bio_put(bio);
+
        rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev);
        return 0;
 }