md: take a reference to mddev during sysfs access.

When we are accessing an mddev via sysfs we know that the mddev cannot disappear because it has an embedded kobj which is refcounted by sysfs. And we also take the mddev_lock. However this is not enough. The final mddev_put could have been called and the mddev_delayed_delete is waiting for sysfs to let go so it can destroy the kobj and mddev. In this state there are a lot of changes that should not be attempted. To to guard against this we: - initialise mddev->all_mddevs in on last put so the state can be easily detected. - in md_attr_show and md_attr_store, check ->all_mddevs under all_mddevs_lock and mddev_get the mddev if it still appears to be active. This means that if we get to sysfs as the mddev is being deleted we will get -EBUSY. rdev_attr_store and rdev_attr_show are similar but already have sufficient protection. They check that rdev->mddev still points to mddev after taking mddev_lock. As this is cleared before delayed removal which can only be requested under the mddev_lock, this ensure the rdev and mddev are still alive. Signed-off-by: NeilBrown <neilb@suse.de>
author: NeilBrown <neilb@suse.de> 2011-12-07 23:49:46 -0500
committer: NeilBrown <neilb@suse.de> 2011-12-07 23:49:46 -0500
commit: af8a24347f966ab9fae6b0f127d1fbc9d6932d3a (patch)
tree: 903afdae95dc11444707410d784ad857dfb887c9 /drivers
parent: 1d23f178d56ae1349b4fc5108ac8f4f8cdc92afc (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 93b0da13350..f97c3b2f2f8 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -570,7 +570,7 @@ static void mddev_put(struct mddev *mddev)
            mddev->ctime == 0 && !mddev->hold_active) {
                /* Array is not configured at all, and not held active,
                 * so destroy it */
-                list_del(&mddev->all_mddevs);
+                list_del_init(&mddev->all_mddevs);
                bs = mddev->bio_set;
                mddev->bio_set = NULL;
                if (mddev->gendisk) {
@@ -4489,11 +4489,20 @@ md_attr_show(struct kobject *kobj, struct attribute *attr, char *page)
        if (!entry->show)
                return -EIO;
+        spin_lock(&all_mddevs_lock);
+        if (list_empty(&mddev->all_mddevs)) {
+                spin_unlock(&all_mddevs_lock);
+                return -EBUSY;
+        }
+        mddev_get(mddev);
+        spin_unlock(&all_mddevs_lock);
        rv = mddev_lock(mddev);
        if (!rv) {
                rv = entry->show(mddev, page);
                mddev_unlock(mddev);
        }
+        mddev_put(mddev);
        return rv;
 }
@@ -4509,11 +4518,19 @@ md_attr_store(struct kobject *kobj, struct attribute *attr,
                return -EIO;
        if (!capable(CAP_SYS_ADMIN))
                return -EACCES;
+        spin_lock(&all_mddevs_lock);
+        if (list_empty(&mddev->all_mddevs)) {
+                spin_unlock(&all_mddevs_lock);
+                return -EBUSY;
+        }
+        mddev_get(mddev);
+        spin_unlock(&all_mddevs_lock);
        rv = mddev_lock(mddev);
        if (!rv) {
                rv = entry->store(mddev, page, length);
                mddev_unlock(mddev);
        }
+        mddev_put(mddev);
        return rv;
 }
author	NeilBrown <neilb@suse.de>	2011-12-07 23:49:46 -0500
committer	NeilBrown <neilb@suse.de>	2011-12-07 23:49:46 -0500
commit	af8a24347f966ab9fae6b0f127d1fbc9d6932d3a (patch)
tree	903afdae95dc11444707410d784ad857dfb887c9 /drivers
parent	1d23f178d56ae1349b4fc5108ac8f4f8cdc92afc (diff)