[dm-devel] dm_table_get/put balance -> reference counting problem in dm-ioctl-v4.c

[Christophe Saout]

Hi!

I've managed it to get an unloadable module implementing a dm target.

I did the following (more or less):

- Load the module
- create device and load a table
- load a table (dmsetup reload)
- load a table again
- resume the device
- remove the device

Bang. lsmod shows use count 1.

But I think I've found the source of the problem though I'm not 100%
sure if this is everything.

In dm-ioctl-v4.c in function table_load:

You do a hc->new_map = t without checking whether there is alreay a new
table in it. The table holds a reference to the targets and dm-target.c
holds a reference to the target modules.

So if I load two tables in a row without swapping them (resuming the
device) the first table gets overwritten without dropping the reference
counts.

A BUG_ON(hc->new_map) before setting it was hit when the table was
loaded a seconding time.

My patch (attached) seems to fix the problem.

The other possible locking source is dm.c and blk_dev_open/close. The
reference is dropped when the holders reach zero. But I don't see a
problem with dm_get/dm_put.

diff -Nur linux.orig/drivers/md/dm-ioctl-v4.c
linux/drivers/md/dm-ioctl-v4.c
--- linux.orig/drivers/md/dm-ioctl-v4.c	2003-08-01 01:39:11.000000000
+0200
+++ linux/drivers/md/dm-ioctl-v4.c	2003-08-01 03:49:45.266893136 +0200
@@ -816,6 +816,8 @@
 		return -ENXIO;
 	}
 
+	if (hc->new_map)
+		dm_table_put(hc->new_map);
 	hc->new_map = t;
 	param->flags |= DM_INACTIVE_PRESENT_FLAG;
 
--
Christophe Saout <christophe at saout.de>
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html