diff options
author | Alasdair G Kergon <agk@redhat.com> | 2009-04-03 17:45:08 +0000 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2009-04-27 10:36:57 -0700 |
commit | 43a00bbcf5aeaac50d9e8271dbfa0d0fc1d4eb43 (patch) | |
tree | db8ee3938b6a9c9e4d495d916e7b6f48a9931086 /drivers | |
parent | d92281c9087f7f7d8c18cf95f18a8148167907e0 (diff) |
dm table: fix upgrade mode race
upstream commit: 570b9d968bf9b16974252ef7cbce73fa6dac34f3
upgrade_mode() sets bdev to NULL temporarily, and does not have any
locking to exclude anything from seeing that NULL.
In dm_table_any_congested() bdev_get_queue() can dereference that NULL and
cause a reported oops.
Fix this by not changing that field during the mode upgrade.
Cc: stable@kernel.org
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/md/dm-table.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 2fd66c30f7f..e8361b191b9 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start, } /* - * This upgrades the mode on an already open dm_dev. Being + * This upgrades the mode on an already open dm_dev, being * careful to leave things as they were if we fail to reopen the - * device. + * device and not to touch the existing bdev field in case + * it is accessed concurrently inside dm_table_any_congested(). */ static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, struct mapped_device *md) { int r; - struct dm_dev_internal dd_copy; - dev_t dev = dd->dm_dev.bdev->bd_dev; + struct dm_dev_internal dd_new, dd_old; - dd_copy = *dd; + dd_new = dd_old = *dd; + + dd_new.dm_dev.mode |= new_mode; + dd_new.dm_dev.bdev = NULL; + + r = open_dev(&dd_new, dd->dm_dev.bdev->bd_dev, md); + if (r) + return r; dd->dm_dev.mode |= new_mode; - dd->dm_dev.bdev = NULL; - r = open_dev(dd, dev, md); - if (!r) - close_dev(&dd_copy, md); - else - *dd = dd_copy; + close_dev(&dd_old, md); - return r; + return 0; } /* |