aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/md
diff options
context:
space:
mode:
authorAlasdair G Kergon <agk@redhat.com>2009-04-02 14:55:28 -0400
committerAlasdair G Kergon <agk@redhat.com>2009-04-02 14:55:28 -0400
commit570b9d968bf9b16974252ef7cbce73fa6dac34f3 (patch)
tree1a356ada71b373b363f9fc2204769f8eee920f30 /drivers/md
parentaea9058801c0acfa2831af1714da412dfb0018c2 (diff)
dm table: fix upgrade mode race
upgrade_mode() sets bdev to NULL temporarily, and does not have any locking to exclude anything from seeing that NULL. In dm_table_any_congested() bdev_get_queue() can dereference that NULL and cause a reported oops. Fix this by not changing that field during the mode upgrade. Cc: stable@kernel.org Cc: Neil Brown <neilb@suse.de> Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Diffstat (limited to 'drivers/md')
-rw-r--r--drivers/md/dm-table.c26
1 files changed, 14 insertions, 12 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 2fd66c30f7f8..e8361b191b9b 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start,
399} 399}
400 400
401/* 401/*
402 * This upgrades the mode on an already open dm_dev. Being 402 * This upgrades the mode on an already open dm_dev, being
403 * careful to leave things as they were if we fail to reopen the 403 * careful to leave things as they were if we fail to reopen the
404 * device. 404 * device and not to touch the existing bdev field in case
405 * it is accessed concurrently inside dm_table_any_congested().
405 */ 406 */
406static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, 407static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode,
407 struct mapped_device *md) 408 struct mapped_device *md)
408{ 409{
409 int r; 410 int r;
410 struct dm_dev_internal dd_copy; 411 struct dm_dev_internal dd_new, dd_old;
411 dev_t dev = dd->dm_dev.bdev->bd_dev;
412 412
413 dd_copy = *dd; 413 dd_new = dd_old = *dd;
414
415 dd_new.dm_dev.mode |= new_mode;
416 dd_new.dm_dev.bdev = NULL;
417
418 r = open_dev(&dd_new, dd->dm_dev.bdev->bd_dev, md);
419 if (r)
420 return r;
414 421
415 dd->dm_dev.mode |= new_mode; 422 dd->dm_dev.mode |= new_mode;
416 dd->dm_dev.bdev = NULL; 423 close_dev(&dd_old, md);
417 r = open_dev(dd, dev, md);
418 if (!r)
419 close_dev(&dd_copy, md);
420 else
421 *dd = dd_copy;
422 424
423 return r; 425 return 0;
424} 426}
425 427
426/* 428/*