From: Alasdair G Kergon <agk@xxxxxxxxxx> There is a race between dev_create() and find_device(). If the mdptr has not yet been stored against a device, find_device() needs to behave as though no device was found. It already returns NULL, but there is a dm_put() missing: it must drop the reference dm_get_md() took. The bug was introduced by dm-fix-mapped-device-ref-counting.patch. It manifests itself if another dm ioctl attempts to reference a newly-created device while the device creation ioctl is still running. The consequence is that the device cannot be removed until the machine is rebooted. Certain udev configurations can lead to this happening. Signed-off-by: Alasdair G Kergon <agk@xxxxxxxxxx> Cc: <dm-devel@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxx> --- drivers/md/dm-ioctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff -puN drivers/md/dm-ioctl.c~dm-fix-find_device-race drivers/md/dm-ioctl.c --- a/drivers/md/dm-ioctl.c~dm-fix-find_device-race +++ a/drivers/md/dm-ioctl.c @@ -606,9 +606,14 @@ static struct hash_cell *__find_device_h return __get_name_cell(param->name); md = dm_get_md(huge_decode_dev(param->dev)); - if (md) - mdptr = dm_get_mdptr(md); + if (!md) + goto out; + mdptr = dm_get_mdptr(md); + if (!mdptr) + dm_put(md); + +out: return mdptr; } _ -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
