On 8/14/21 12:16 AM, Song Liu wrote:
On Thu, Aug 12, 2021 at 8:46 PM lwt105<3061522931@xxxxxx> wrote:
In line 2867, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2869 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.
It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.
Signed-off-by: lwt105<3061522931@xxxxxx>
The fix looks reasonable.
I am not sure this is needed unless there is real calltrace to prove it.
Because raid5_release_stripe
doesn't mean it will release the sh's memory, pls see the comment
before clear_batch_ready in
handle_stripe, and the path handle_stripe -> handle_stripe_clean_event
-> break_stripe_batch_list.
Thanks,
Guoqing
