aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/md/dm-io.c
diff options
context:
space:
mode:
authorMikulas Patocka <mpatocka@redhat.com>2009-04-02 14:55:24 -0400
committerAlasdair G Kergon <agk@redhat.com>2009-04-02 14:55:24 -0400
commitb64b6bf4fd8b678a9f8477c11773c38a0a246a6d (patch)
tree26e12749b51ce21f0f59b8d7ee45a3716d2a96d8 /drivers/md/dm-io.c
parent95f8fac8dc6139fedfb87746e0c8fda9b803cb46 (diff)
dm io: make sync_io uninterruptible
If someone sends signal to a process performing synchronous dm-io call, the kernel may crash. The function sync_io attempts to exit with -EINTR if it has pending signal, however the structure "io" is allocated on stack, so already submitted io requests end up touching unallocated stack space and corrupting kernel memory. sync_io sets its state to TASK_UNINTERRUPTIBLE, so the signal can't break out of io_schedule() --- however, if the signal was pending before sync_io entered while (1) loop, the corruption of kernel memory will happen. There is no way to cancel in-progress IOs, so the best solution is to ignore signals at this point. Cc: stable@kernel.org Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Diffstat (limited to 'drivers/md/dm-io.c')
-rw-r--r--drivers/md/dm-io.c5
1 files changed, 1 insertions, 4 deletions
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 36e2b5e46a6b..e73aabd61cd7 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -370,16 +370,13 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
370 while (1) { 370 while (1) {
371 set_current_state(TASK_UNINTERRUPTIBLE); 371 set_current_state(TASK_UNINTERRUPTIBLE);
372 372
373 if (!atomic_read(&io.count) || signal_pending(current)) 373 if (!atomic_read(&io.count))
374 break; 374 break;
375 375
376 io_schedule(); 376 io_schedule();
377 } 377 }
378 set_current_state(TASK_RUNNING); 378 set_current_state(TASK_RUNNING);
379 379
380 if (atomic_read(&io.count))
381 return -EINTR;
382
383 if (error_bits) 380 if (error_bits)
384 *error_bits = io.error_bits; 381 *error_bits = io.error_bits;
385 382