diff options
author | Mikulas Patocka <mpatocka@redhat.com> | 2009-04-02 14:55:24 -0400 |
---|---|---|
committer | Alasdair G Kergon <agk@redhat.com> | 2009-04-02 14:55:24 -0400 |
commit | b64b6bf4fd8b678a9f8477c11773c38a0a246a6d (patch) | |
tree | 26e12749b51ce21f0f59b8d7ee45a3716d2a96d8 /drivers/md/dm-io.c | |
parent | 95f8fac8dc6139fedfb87746e0c8fda9b803cb46 (diff) |
dm io: make sync_io uninterruptible
If someone sends signal to a process performing synchronous dm-io call,
the kernel may crash.
The function sync_io attempts to exit with -EINTR if it has pending signal,
however the structure "io" is allocated on stack, so already submitted io
requests end up touching unallocated stack space and corrupting kernel memory.
sync_io sets its state to TASK_UNINTERRUPTIBLE, so the signal can't break out
of io_schedule() --- however, if the signal was pending before sync_io entered
while (1) loop, the corruption of kernel memory will happen.
There is no way to cancel in-progress IOs, so the best solution is to ignore
signals at this point.
Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Diffstat (limited to 'drivers/md/dm-io.c')
-rw-r--r-- | drivers/md/dm-io.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c index 36e2b5e46a6b..e73aabd61cd7 100644 --- a/drivers/md/dm-io.c +++ b/drivers/md/dm-io.c | |||
@@ -370,16 +370,13 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions, | |||
370 | while (1) { | 370 | while (1) { |
371 | set_current_state(TASK_UNINTERRUPTIBLE); | 371 | set_current_state(TASK_UNINTERRUPTIBLE); |
372 | 372 | ||
373 | if (!atomic_read(&io.count) || signal_pending(current)) | 373 | if (!atomic_read(&io.count)) |
374 | break; | 374 | break; |
375 | 375 | ||
376 | io_schedule(); | 376 | io_schedule(); |
377 | } | 377 | } |
378 | set_current_state(TASK_RUNNING); | 378 | set_current_state(TASK_RUNNING); |
379 | 379 | ||
380 | if (atomic_read(&io.count)) | ||
381 | return -EINTR; | ||
382 | |||
383 | if (error_bits) | 380 | if (error_bits) |
384 | *error_bits = io.error_bits; | 381 | *error_bits = io.error_bits; |
385 | 382 | ||