提交 570b9d96 编写于 作者: A Alasdair G Kergon

dm table: fix upgrade mode race

upgrade_mode() sets bdev to NULL temporarily, and does not have any
locking to exclude anything from seeing that NULL.

In dm_table_any_congested() bdev_get_queue() can dereference that NULL and
cause a reported oops.

Fix this by not changing that field during the mode upgrade.

Cc: stable@kernel.org
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>
上级 aea90588
...@@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start, ...@@ -399,28 +399,30 @@ static int check_device_area(struct dm_dev_internal *dd, sector_t start,
} }
/* /*
* This upgrades the mode on an already open dm_dev. Being * This upgrades the mode on an already open dm_dev, being
* careful to leave things as they were if we fail to reopen the * careful to leave things as they were if we fail to reopen the
* device. * device and not to touch the existing bdev field in case
* it is accessed concurrently inside dm_table_any_congested().
*/ */
static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode,
struct mapped_device *md) struct mapped_device *md)
{ {
int r; int r;
struct dm_dev_internal dd_copy; struct dm_dev_internal dd_new, dd_old;
dev_t dev = dd->dm_dev.bdev->bd_dev;
dd_copy = *dd; dd_new = dd_old = *dd;
dd_new.dm_dev.mode |= new_mode;
dd_new.dm_dev.bdev = NULL;
r = open_dev(&dd_new, dd->dm_dev.bdev->bd_dev, md);
if (r)
return r;
dd->dm_dev.mode |= new_mode; dd->dm_dev.mode |= new_mode;
dd->dm_dev.bdev = NULL; close_dev(&dd_old, md);
r = open_dev(dd, dev, md);
if (!r)
close_dev(&dd_copy, md);
else
*dd = dd_copy;
return r; return 0;
} }
/* /*
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册