From patchwork Wed Sep 20 21:24:34 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Omar Sandoval <osandov@osandov.com>
X-Patchwork-Id: 9962623
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8119060234 for <patchwork-linux-block@patchwork.kernel.org>;
	Wed, 20 Sep 2017 21:24:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73CA929261
	for <patchwork-linux-block@patchwork.kernel.org>;
	Wed, 20 Sep 2017 21:24:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6872F29266; Wed, 20 Sep 2017 21:24:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E317929261
	for <patchwork-linux-block@patchwork.kernel.org>;
	Wed, 20 Sep 2017 21:24:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751839AbdITVYq (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Wed, 20 Sep 2017 17:24:46 -0400
Received: from mail-pg0-f51.google.com ([74.125.83.51]:57085 "EHLO
	mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751378AbdITVYp (ORCPT
	<rfc822;linux-block@vger.kernel.org>);
	Wed, 20 Sep 2017 17:24:45 -0400
Received: by mail-pg0-f51.google.com with SMTP id 7so2375724pgd.13
	for <linux-block@vger.kernel.org>;
	Wed, 20 Sep 2017 14:24:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=osandov-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=bAfIONnVKPbh4aATmLZwdDavDVfdnMqeCnd/jWVlH3g=;
	b=bFpph+Vmopm8abbOgwpBQRqCFuHKOfc+327uqKEFyVHuIRrUXsHb2bUj3v7+cFntxr
	CTm1Ei/vH2O/WQuoyZ0hDW+Fm9I+TooClSFiRc/2OGcGXd794K8jBMsSk461nBsMzU8M
	jqD9RlEHrN2mftDGfVGQPo80nxcpp7K0Zg9haSAd2YtwzoJPCpwuNI8ARCWddKudS2Jb
	fDlGTm2YXWI6Gc6/IoQOtMbfgJPCRcewPEV192XJKwC3/Y6ypa7nVYe7bJjjQXUVTmEY
	DQ5e658rhQ86imdoNWrHArvRvp0KB82Q8AavaqRmEm6rntpHv+9UN52H2t7LxO7Gz+wO
	FgKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=bAfIONnVKPbh4aATmLZwdDavDVfdnMqeCnd/jWVlH3g=;
	b=jM/w1Sp44i2CBHYXL1ITEF+C8kg6d+zRycljgOv3F1kXe8oI53LnZTSmcMAL33anVC
	BmCDw4HH5Vr6Z+0ybEX0l5jL2vGXgHFxIGTpv5TgHwhDj+70butc9tCx40YLT0KpkEcd
	l9dchlTHXV+ziqatN+zl2PV/IUbtqK0KqYUUciOLEMGwsXwLuGvjHOnJMhSppErmicz6
	nLFPJ+0oSribttSqDV3nN5BLDKvUHEI9jLmhm8CFsmdQiewi0YJej9RbsmLQbx0MmvHX
	QpVPHP5fJp7Ii+LLwn53uc4Y/RRMhDvrGj8vilE9PV57a/OVEASpBRkv3zj2UDg10d7v
	SQjA==
X-Gm-Message-State: AHPjjUhSgfJKnjSTwNnZ5aBfkxWVAxRVae6/5YE4drU/vMF7isc7xvjH
	C1lmDukByo97N1UyUrC9DgQ6wtNT948=
X-Google-Smtp-Source: 
 AOwi7QCREspWTOV6PMsQO4FgUepE+7DI3RzHzIQC3ik9CWle6OaYyOHstOQcZ5nRAibCX0P2PlcMrA==
X-Received: by 10.98.223.137 with SMTP id d9mr3512710pfl.171.1505942684827;
	Wed, 20 Sep 2017 14:24:44 -0700 (PDT)
Received: from vader.thefacebook.com ([2620:10d:c090:180::1:1f5c])
	by smtp.gmail.com with ESMTPSA id
	4sm10237674pfs.1.2017.09.20.14.24.43
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 20 Sep 2017 14:24:44 -0700 (PDT)
From: Omar Sandoval <osandov@osandov.com>
To: linux-block@vger.kernel.org
Cc: kernel-team@fb.com, Shaohua Li <shli@fb.com>
Subject: [PATCH] loop: remove union of use_aio and ref in struct loop_cmd
Date: Wed, 20 Sep 2017 14:24:34 -0700
Message-Id: 
 <f1805518db399aa091aaada51de4d9153963d77f.1505942666.git.osandov@fb.com>
X-Mailer: git-send-email 2.14.1
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Omar Sandoval <osandov@fb.com>

When the request is completed, lo_complete_rq() checks cmd->use_aio.
However, if this is in fact an aio request, cmd->use_aio will have
already been reused as cmd->ref by lo_rw_aio*. Fix it by not using a
union. On x86_64, there's a hole after the union anyways, so this
doesn't make struct loop_cmd any bigger.

Fixes: 92d773324b7e ("block/loop: fix use after free")
Signed-off-by: Omar Sandoval <osandov@fb.com>
---
 drivers/block/loop.h | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/block/loop.h b/drivers/block/loop.h
index f68c1d50802f..1f3956702993 100644
--- a/drivers/block/loop.h
+++ b/drivers/block/loop.h
@@ -67,10 +67,8 @@ struct loop_device {
 struct loop_cmd {
 	struct kthread_work work;
 	struct request *rq;
-	union {
-		bool use_aio; /* use AIO interface to handle I/O */
-		atomic_t ref; /* only for aio */
-	};
+	bool use_aio; /* use AIO interface to handle I/O */
+	atomic_t ref; /* only for aio */
 	long ret;
 	struct kiocb iocb;
 	struct bio_vec *bvec;