diff options
| author | Mikulas Patocka <mpatocka@redhat.com> | 2015-07-10 17:21:43 -0400 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2015-07-13 09:14:11 -0400 |
| commit | b06075a98d595b761881fb2d7b8a557ea2f8b7ac (patch) | |
| tree | 0f4d62164e2204cd26af74f48bd1cb43e715aef1 /drivers/md/dm.c | |
| parent | 621739b00e16ca2d80411dc9b111cb15b91f3ba9 (diff) | |
| download | op-kernel-dev-b06075a98d595b761881fb2d7b8a557ea2f8b7ac.zip op-kernel-dev-b06075a98d595b761881fb2d7b8a557ea2f8b7ac.tar.gz | |
dm: fix use after free crash due to incorrect cleanup sequence
Linux 4.2-rc1 Commit 0f20972f7bf6 ("dm: factor out a common
cleanup_mapped_device()") moved a common cleanup code to a separate
function. Unfortunately, that commit incorrectly changed the order of
cleanup, so that it destroys the mapped_device's srcu structure
'io_barrier' before destroying its workqueue.
The function that is executed on the workqueue (dm_wq_work) uses the srcu
structure, thus it may use it after being freed. That results in a
crash in the LVM test suite's mirror-vgreduce-removemissing.sh test.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 0f20972f7bf6 ("dm: factor out a common cleanup_mapped_device()")
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md/dm.c')
| -rw-r--r-- | drivers/md/dm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/md/dm.c b/drivers/md/dm.c index de70377..ab37ae1 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2277,8 +2277,6 @@ static void dm_init_old_md_queue(struct mapped_device *md) static void cleanup_mapped_device(struct mapped_device *md) { - cleanup_srcu_struct(&md->io_barrier); - if (md->wq) destroy_workqueue(md->wq); if (md->kworker_task) @@ -2290,6 +2288,8 @@ static void cleanup_mapped_device(struct mapped_device *md) if (md->bs) bioset_free(md->bs); + cleanup_srcu_struct(&md->io_barrier); + if (md->disk) { spin_lock(&_minor_lock); md->disk->private_data = NULL; |
