From: Yan, Zheng <zyan@redhat.com>
Date: Tue, 14 Jun 2016 03:13:59 +0000 (+0800)
Subject: ceph: fix use-after-free bug in ceph_direct_read_write()
X-Git-Tag: v4.14-rc1~2730^2~23
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fc8c3892f30c39f28fdb835f7c8598ac4cf5ed1e;p=platform%2Fkernel%2Flinux-rpi.git

ceph: fix use-after-free bug in ceph_direct_read_write()

ceph_aio_complete() can free the ceph_aio_request struct before
the code exits the while loop.

Signed-off-by: Yan, Zheng <zyan@redhat.com>
---

diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index ac75fa9..033e887 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -985,6 +985,8 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter,
 	}
 
 	if (aio_req) {
+		LIST_HEAD(osd_reqs);
+
 		if (aio_req->num_reqs == 0) {
 			kfree(aio_req);
 			return ret;
@@ -993,8 +995,9 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter,
 		ceph_get_cap_refs(ci, write ? CEPH_CAP_FILE_WR :
 					      CEPH_CAP_FILE_RD);
 
-		while (!list_empty(&aio_req->osd_reqs)) {
-			req = list_first_entry(&aio_req->osd_reqs,
+		list_splice(&aio_req->osd_reqs, &osd_reqs);
+		while (!list_empty(&osd_reqs)) {
+			req = list_first_entry(&osd_reqs,
 					       struct ceph_osd_request,
 					       r_unsafe_item);
 			list_del_init(&req->r_unsafe_item);