mmc: fix use-after-free of struct request We call mmc_req_is_special() after having processed a request, but it could be freed after that. Check that ahead of time, and use the cached value. Reported-by: Hans de Goede <hdegoede@redhat.com> Tested-by: Hans de Goede <hdegoede@redhat.com> Fixes: c2df40dfb8c0 ("drivers: use req op accessor") Signed-off-by: Jens Axboe <axboe@fb.com>

commit: 869c554808ccf7ddd25be5317073b88ceddb8507 [log] [tgz]
author: Adrian Hunter <adrian.hunter@intel.com> Thu Aug 25 14:11:43 2016 -0600
committer: Jens Axboe <axboe@fb.com> Thu Aug 25 14:11:43 2016 -0600
tree: ed7f5a2112a7d00dbfa02415585bc7d1991fe824
parent: f2791e7eadf437633f30faa51b30878cf15650be [diff] [blame]
diff --git a/drivers/mmc/card/queue.c b/drivers/mmc/card/queue.c
index 29578e9..7080572 100644
--- a/drivers/mmc/card/queue.c
+++ b/drivers/mmc/card/queue.c

@@ -65,6 +65,8 @@
 		spin_unlock_irq(q->queue_lock);
 
 		if (req || mq->mqrq_prev->req) {
+			bool req_is_special = mmc_req_is_special(req);
+
 			set_current_state(TASK_RUNNING);
 			mq->issue_fn(mq, req);
 			cond_resched();
@@ -80,7 +82,7 @@
 			 * has been finished. Do not assign it to previous
 			 * request.
 			 */
-			if (mmc_req_is_special(req))
+			if (req_is_special)
 				mq->mqrq_cur->req = NULL;
 
 			mq->mqrq_prev->brq.mrq.data = NULL;
commit	869c554808ccf7ddd25be5317073b88ceddb8507	[log] [tgz]
author	Adrian Hunter <adrian.hunter@intel.com>	Thu Aug 25 14:11:43 2016 -0600
committer	Jens Axboe <axboe@fb.com>	Thu Aug 25 14:11:43 2016 -0600
tree	ed7f5a2112a7d00dbfa02415585bc7d1991fe824
parent	f2791e7eadf437633f30faa51b30878cf15650be [diff] [blame]