From: Jens Axboe <axboe@fb.com>
Date: Thu, 17 Nov 2016 19:30:37 +0000 (-0700)
Subject: nbd: fix use-after-free of rq/bio in the xmit path
X-Git-Tag: v3.2.87~85
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75c38bcf64e6960ab1a5a07d6b5c6946d8a751ca;p=pandora-kernel.git

nbd: fix use-after-free of rq/bio in the xmit path

commit 429a787be6793554ee02aacc7e1f11ebcecc4453 upstream.

For writes, we can get a completion in while we're still iterating
the request and bio chain. If that happens, we're reading freed
memory and we can crash.

Break out after the last segment and avoid having the iterator
read freed memory.

Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.2:
 - bio_for_each_segment() uses iterator of type int
 - Open-code bio_iter_last()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed