mmc: fix use-after-free of struct request We call mmc_req_is_special() after having processed a request, but it could be freed after that. Check that ahead of time, and use the cached value. Reported-by: Hans de Goede <hdegoede@redhat.com> Tested-by: Hans de Goede <hdegoede@redhat.com> Fixes: c2df40dfb8c0 ("drivers: use req op accessor") Signed-off-by: Jens Axboe <axboe@fb.com>

commit: 869c554808ccf7ddd25be5317073b88ceddb8507 [log] [tgz]
author: Adrian Hunter <adrian.hunter@intel.com> Thu Aug 25 14:11:43 2016 -0600
committer: Jens Axboe <axboe@fb.com> Thu Aug 25 14:11:43 2016 -0600
tree: ed7f5a2112a7d00dbfa02415585bc7d1991fe824
parent: f2791e7eadf437633f30faa51b30878cf15650be [diff] [blame]
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 82503e6..2206d44 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c

@@ -2151,6 +2151,7 @@
 	struct mmc_card *card = md->queue.card;
 	struct mmc_host *host = card->host;
 	unsigned long flags;
+	bool req_is_special = mmc_req_is_special(req);
 
 	if (req && !mq->mqrq_prev->req)
 		/* claim host only for the first request */
@@ -2191,8 +2192,7 @@
 	}
 
 out:
-	if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) ||
-	    mmc_req_is_special(req))
+	if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) || req_is_special)
 		/*
 		 * Release host when there are no more requests
 		 * and after special request(discard, flush) is done.
commit	869c554808ccf7ddd25be5317073b88ceddb8507	[log] [tgz]
author	Adrian Hunter <adrian.hunter@intel.com>	Thu Aug 25 14:11:43 2016 -0600
committer	Jens Axboe <axboe@fb.com>	Thu Aug 25 14:11:43 2016 -0600
tree	ed7f5a2112a7d00dbfa02415585bc7d1991fe824
parent	f2791e7eadf437633f30faa51b30878cf15650be [diff] [blame]