dm: fix use after free crash due to incorrect cleanup sequence

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Linux 4.2-rc1 Commit 0f20972f7bf6 ("dm: factor out a common
cleanup_mapped_device()") moved a common cleanup code to a separate
function. Unfortunately, that commit incorrectly changed the order of
cleanup, so that it destroys the mapped_device's srcu structure
'io_barrier' before destroying its workqueue.

The function that is executed on the workqueue (dm_wq_work) uses the srcu
structure, thus it may use it after being freed. That results in a
crash in the LVM test suite's mirror-vgreduce-removemissing.sh test.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 0f20972f7bf6 ("dm: factor out a common cleanup_mapped_device()")
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

authored by

Mikulas Patocka and committed by

Mike Snitzer 10 years ago b06075a9 621739b0

+2 -2

1 changed file

expand all

drivers

dm.c

+2 -2

drivers/md/dm.c

··· 2277 2277 2278 2278 static void cleanup_mapped_device(struct mapped_device *md) 2279 2279 { 2280 - cleanup_srcu_struct(&md->io_barrier); 2281 - 2282 2280 if (md->wq) 2283 2281 destroy_workqueue(md->wq); 2284 2282 if (md->kworker_task) ··· 2287 2289 mempool_destroy(md->rq_pool); 2288 2290 if (md->bs) 2289 2291 bioset_free(md->bs); 2292 + 2293 + cleanup_srcu_struct(&md->io_barrier); 2290 2294 2291 2295 if (md->disk) { 2292 2296 spin_lock(&_minor_lock);