[dm-devel] [PATCH] dm-snapshot: fix a possible invalid memory access on unload

[Mikulas Patocka]

When the snapshot target is unloaded, the function snapshot_dtr waits
until pending_exceptions_count drops to zero. Then, it destroys the
snapshot. Therefore, the function that decrements pending_exceptions_count
should not touch the snapshot structure after the decrement.

The function pending_complete calls free_pending_exception (that
decrements pending_exceptions_count) and then it performs
up_write(&s->lock) and it calls retry_origin_bios that dereferences
s->origin. These two memory accesses to the fields of the snapshot may
touch the dm_snapshot struture after it is freed.

This patch moves free_pending_exception to the end of pending_complete, so
that the snapshot could not be destroyed while pending_complete is in
progress.

Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Cc: stable at kernel.org

---
 drivers/md/dm-snap.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

Index: linux-2.6/drivers/md/dm-snap.c
===================================================================
--- linux-2.6.orig/drivers/md/dm-snap.c
+++ linux-2.6/drivers/md/dm-snap.c
@@ -1432,8 +1432,6 @@ out:
 		full_bio->bi_private = pe->full_bio_private;
 		atomic_inc(&full_bio->bi_remaining);
 	}
-	free_pending_exception(pe);
-
 	increment_pending_exceptions_done_count();
 
 	up_write(&s->lock);
@@ -1450,6 +1448,8 @@ out:
 	}
 
 	retry_origin_bios(s, origin_bios);
+
+	free_pending_exception(pe);
 }
 
 static void commit_callback(void *context, int success)