[PATCH] dm-snapshot: fix a possible invalid memory access on unload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When the snapshot target is unloaded, the function snapshot_dtr waits
until pending_exceptions_count drops to zero. Then, it destroys the
snapshot. Therefore, the function that decrements pending_exceptions_count
should not touch the snapshot structure after the decrement.

The function pending_complete calls free_pending_exception (that
decrements pending_exceptions_count) and then it performs
up_write(&s->lock) and it calls retry_origin_bios that dereferences
s->origin. These two memory accesses to the fields of the snapshot may
touch the dm_snapshot struture after it is freed.

This patch moves free_pending_exception to the end of pending_complete, so
that the snapshot could not be destroyed while pending_complete is in
progress.

Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Cc: stable@xxxxxxxxxx

---
 drivers/md/dm-snap.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

Index: linux-2.6/drivers/md/dm-snap.c
===================================================================
--- linux-2.6.orig/drivers/md/dm-snap.c
+++ linux-2.6/drivers/md/dm-snap.c
@@ -1432,8 +1432,6 @@ out:
 		full_bio->bi_private = pe->full_bio_private;
 		atomic_inc(&full_bio->bi_remaining);
 	}
-	free_pending_exception(pe);
-
 	increment_pending_exceptions_done_count();
 
 	up_write(&s->lock);
@@ -1450,6 +1448,8 @@ out:
 	}
 
 	retry_origin_bios(s, origin_bios);
+
+	free_pending_exception(pe);
 }
 
 static void commit_callback(void *context, int success)

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux