diff options
| author | Alasdair G Kergon <agk@redhat.com> | 2009-04-02 14:55:28 -0400 |
|---|---|---|
| committer | Alasdair G Kergon <agk@redhat.com> | 2009-04-02 14:55:28 -0400 |
| commit | 570b9d968bf9b16974252ef7cbce73fa6dac34f3 (patch) | |
| tree | 1a356ada71b373b363f9fc2204769f8eee920f30 | |
| parent | aea9058801c0acfa2831af1714da412dfb0018c2 (diff) | |
dm table: fix upgrade mode race
upgrade_mode() sets bdev to NULL temporarily, and does not have any
locking to exclude anything from seeing that NULL.
In dm_table_any_congested() bdev_get_queue() can dereference that NULL and
cause a reported oops.
Fix this by not changing that field during the mode upgrade.
Cc: stable@kernel.org
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
| -rw-r--r-- | drivers/md/dm-table.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 2fd66c30f7f8..e8361b191b9b 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c | |||
| @@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start, | |||
| 399 | } | 399 | } |
| 400 | 400 | ||
| 401 | /* | 401 | /* |
| 402 | * This upgrades the mode on an already open dm_dev. Being | 402 | * This upgrades the mode on an already open dm_dev, being |
| 403 | * careful to leave things as they were if we fail to reopen the | 403 | * careful to leave things as they were if we fail to reopen the |
| 404 | * device. | 404 | * device and not to touch the existing bdev field in case |
| 405 | * it is accessed concurrently inside dm_table_any_congested(). | ||
| 405 | */ | 406 | */ |
| 406 | static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, | 407 | static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, |
| 407 | struct mapped_device *md) | 408 | struct mapped_device *md) |
| 408 | { | 409 | { |
| 409 | int r; | 410 | int r; |
| 410 | struct dm_dev_internal dd_copy; | 411 | struct dm_dev_internal dd_new, dd_old; |
| 411 | dev_t dev = dd->dm_dev.bdev->bd_dev; | ||
| 412 | 412 | ||
| 413 | dd_copy = *dd; | 413 | dd_new = dd_old = *dd; |
| 414 | |||
| 415 | dd_new.dm_dev.mode |= new_mode; | ||
| 416 | dd_new.dm_dev.bdev = NULL; | ||
| 417 | |||
| 418 | r = open_dev(&dd_new, dd->dm_dev.bdev->bd_dev, md); | ||
| 419 | if (r) | ||
| 420 | return r; | ||
| 414 | 421 | ||
| 415 | dd->dm_dev.mode |= new_mode; | 422 | dd->dm_dev.mode |= new_mode; |
| 416 | dd->dm_dev.bdev = NULL; | 423 | close_dev(&dd_old, md); |
| 417 | r = open_dev(dd, dev, md); | ||
| 418 | if (!r) | ||
| 419 | close_dev(&dd_copy, md); | ||
| 420 | else | ||
| 421 | *dd = dd_copy; | ||
| 422 | 424 | ||
| 423 | return r; | 425 | return 0; |
| 424 | } | 426 | } |
| 425 | 427 | ||
| 426 | /* | 428 | /* |