commit | fc750ea71a597c6426ff563a9caf47db9cf090a4 | [log] [tgz] |
---|---|---|
author | y00230200 <yanghongliang.yang@huawei.com> | Thu Jan 18 16:05:18 2018 +0800 |
committer | Hongliang Yang <yanghongliang.yang@huawei.com> | Sat Jan 27 09:08:48 2018 +0000 |
tree | d931a9e442e0789be20a91589dd53b8f03efbb1b | |
parent | 6079cf8bb5dd3468ff6565683e69fdc151d16d23 [diff] |
blk-mq: fix race between timeout and freeing request CVE-2015-9016 Inside timeout handler, blk_mq_tag_to_rq() is called to retrieve the request from one tag. This way is obviously wrong because the request can be freed any time and some fiedds of the request can't be trusted, then kernel oops might be triggered[1].