nbd: fix use-after-free of rq/bio in the xmit path
commit
429a787be6793554ee02aacc7e1f11ebcecc4453 upstream.
For writes, we can get a completion in while we're still iterating
the request and bio chain. If that happens, we're reading freed
memory and we can crash.
Break out after the last segment and avoid having the iterator
read freed memory.
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.2:
- bio_for_each_segment() uses iterator of type int
- Open-code bio_iter_last()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
git.openpandora.org / pandora-kernel.git / commit