summaryrefslogtreecommitdiff
path: root/drivers/md
diff options
context:
space:
mode:
authorMikulas Patocka <mpatocka@redhat.com>2015-07-10 17:21:43 -0400
committerMike Snitzer <snitzer@redhat.com>2015-07-13 09:14:11 -0400
commitb06075a98d595b761881fb2d7b8a557ea2f8b7ac (patch)
tree0f4d62164e2204cd26af74f48bd1cb43e715aef1 /drivers/md
parent621739b00e16ca2d80411dc9b111cb15b91f3ba9 (diff)
downloadlwn-b06075a98d595b761881fb2d7b8a557ea2f8b7ac.tar.gz
lwn-b06075a98d595b761881fb2d7b8a557ea2f8b7ac.zip
dm: fix use after free crash due to incorrect cleanup sequence
Linux 4.2-rc1 Commit 0f20972f7bf6 ("dm: factor out a common cleanup_mapped_device()") moved a common cleanup code to a separate function. Unfortunately, that commit incorrectly changed the order of cleanup, so that it destroys the mapped_device's srcu structure 'io_barrier' before destroying its workqueue. The function that is executed on the workqueue (dm_wq_work) uses the srcu structure, thus it may use it after being freed. That results in a crash in the LVM test suite's mirror-vgreduce-removemissing.sh test. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Fixes: 0f20972f7bf6 ("dm: factor out a common cleanup_mapped_device()") Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md')
-rw-r--r--drivers/md/dm.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index de703778d39f..ab37ae114e94 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2277,8 +2277,6 @@ static void dm_init_old_md_queue(struct mapped_device *md)
static void cleanup_mapped_device(struct mapped_device *md)
{
- cleanup_srcu_struct(&md->io_barrier);
-
if (md->wq)
destroy_workqueue(md->wq);
if (md->kworker_task)
@@ -2290,6 +2288,8 @@ static void cleanup_mapped_device(struct mapped_device *md)
if (md->bs)
bioset_free(md->bs);
+ cleanup_srcu_struct(&md->io_barrier);
+
if (md->disk) {
spin_lock(&_minor_lock);
md->disk->private_data = NULL;