oracleasm: Fix use after free for request processing timer

Orabug: 28506080

Update r->r_elapsed under the spinlock to avoid racing with the
completion code freeing the asm_request.

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/drivers/block/oracleasm/driver.c b/drivers/block/oracleasm/driver.c
index 0850e9f6b3900d382ae42ac9fe24c80558427370..a0e5ebead37ee2c66e67af2e2568c88d21e227c7 100644 (file)
--- a/drivers/block/oracleasm/driver.c
+++ b/drivers/block/oracleasm/driver.c
@@ -1011,6 +1011,7 @@ static void asm_finish_io(struct asm_request *r)
        if (r->r_error)
                r->r_status |= ASM_ERROR;
        r->r_status |= ASM_COMPLETED;
+       r->r_elapsed = ((jiffies - r->r_elapsed) * 1000000) / HZ;
 
        spin_unlock_irqrestore(&afi->f_lock, flags);
 
@@ -1023,8 +1024,6 @@ static void asm_finish_io(struct asm_request *r)
                }
        }
 
-       r->r_elapsed = ((jiffies - r->r_elapsed) * 1000000) / HZ;
-
        wake_up(&afi->f_wait);
 }  /* asm_finish_io() */