From f1e25c923b446afb5638afbca78aa2c8964bf316 Mon Sep 17 00:00:00 2001 From: Michal Mielewczyk Date: Wed, 26 Mar 2025 15:40:33 +0100 Subject: [PATCH] D2C: Prevent use after free Request could be completed and freed before the statistics were updated Signed-off-by: Michal Mielewczyk --- src/engine/engine_d2c.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/engine/engine_d2c.c b/src/engine/engine_d2c.c index e55320f..2a6b86a 100644 --- a/src/engine/engine_d2c.c +++ b/src/engine/engine_d2c.c @@ -1,6 +1,6 @@ /* * Copyright(c) 2012-2022 Intel Corporation - * Copyright(c) 2024 Huawei Technologies + * Copyright(c) 2024-2025 Huawei Technologies * SPDX-License-Identifier: BSD-3-Clause */ #include "ocf/ocf.h" @@ -33,7 +33,10 @@ int ocf_d2c_io_fast(struct ocf_request *req) { OCF_DEBUG_TRACE(req->cache); - /* Get OCF request - increase reference counter */ + /* Increase reference counter - once for submission and second time to + * avoid freeing the request before updating stats + */ + ocf_req_get(req); ocf_req_get(req); ocf_engine_forward_core_io_req(req, _ocf_d2c_completion); @@ -46,6 +49,8 @@ int ocf_d2c_io_fast(struct ocf_request *req) ocf_core_stats_request_pt_update(req->core, req->part_id, req->rw, req->info.hit_no, req->core_line_count); + ocf_req_put(req); + return 0; }