[dm-devel] [PATCH] dm-snapshot: fix a possible invalid memory access on unload
Mikulas Patocka
mpatocka at redhat.com
Tue Feb 17 19:34:00 UTC 2015
When the snapshot target is unloaded, the function snapshot_dtr waits
until pending_exceptions_count drops to zero. Then, it destroys the
snapshot. Therefore, the function that decrements pending_exceptions_count
should not touch the snapshot structure after the decrement.
The function pending_complete calls free_pending_exception (that
decrements pending_exceptions_count) and then it performs
up_write(&s->lock) and it calls retry_origin_bios that dereferences
s->origin. These two memory accesses to the fields of the snapshot may
touch the dm_snapshot struture after it is freed.
This patch moves free_pending_exception to the end of pending_complete, so
that the snapshot could not be destroyed while pending_complete is in
progress.
Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Cc: stable at kernel.org
---
drivers/md/dm-snap.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
Index: linux-2.6/drivers/md/dm-snap.c
===================================================================
--- linux-2.6.orig/drivers/md/dm-snap.c
+++ linux-2.6/drivers/md/dm-snap.c
@@ -1432,8 +1432,6 @@ out:
full_bio->bi_private = pe->full_bio_private;
atomic_inc(&full_bio->bi_remaining);
}
- free_pending_exception(pe);
-
increment_pending_exceptions_done_count();
up_write(&s->lock);
@@ -1450,6 +1448,8 @@ out:
}
retry_origin_bios(s, origin_bios);
+
+ free_pending_exception(pe);
}
static void commit_callback(void *context, int success)
More information about the dm-devel
mailing list