[PATCH] dm: fix mapped device ref counting

To avoid races, _minor_lock must be held while changing mapped device
reference counts.

There are a few paths where a mapped_device pointer is returned before a
reference is taken.  This patch fixes them.

[akpm: too late for 2.6.17 - suitable for 2.6.17.x after it has settled]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Jeff Mahoney 2006-06-26 00:27:24 -07:00 committed by Linus Torvalds
parent fba9f90e56
commit 7ec75f2547
1 changed files with 24 additions and 10 deletions

View File

@ -102,8 +102,10 @@ static struct hash_cell *__get_name_cell(const char *str)
unsigned int h = hash_str(str); unsigned int h = hash_str(str);
list_for_each_entry (hc, _name_buckets + h, name_list) list_for_each_entry (hc, _name_buckets + h, name_list)
if (!strcmp(hc->name, str)) if (!strcmp(hc->name, str)) {
dm_get(hc->md);
return hc; return hc;
}
return NULL; return NULL;
} }
@ -114,8 +116,10 @@ static struct hash_cell *__get_uuid_cell(const char *str)
unsigned int h = hash_str(str); unsigned int h = hash_str(str);
list_for_each_entry (hc, _uuid_buckets + h, uuid_list) list_for_each_entry (hc, _uuid_buckets + h, uuid_list)
if (!strcmp(hc->uuid, str)) if (!strcmp(hc->uuid, str)) {
dm_get(hc->md);
return hc; return hc;
}
return NULL; return NULL;
} }
@ -191,7 +195,7 @@ static int unregister_with_devfs(struct hash_cell *hc)
*/ */
static int dm_hash_insert(const char *name, const char *uuid, struct mapped_device *md) static int dm_hash_insert(const char *name, const char *uuid, struct mapped_device *md)
{ {
struct hash_cell *cell; struct hash_cell *cell, *hc;
/* /*
* Allocate the new cells. * Allocate the new cells.
@ -204,14 +208,19 @@ static int dm_hash_insert(const char *name, const char *uuid, struct mapped_devi
* Insert the cell into both hash tables. * Insert the cell into both hash tables.
*/ */
down_write(&_hash_lock); down_write(&_hash_lock);
if (__get_name_cell(name)) hc = __get_name_cell(name);
if (hc) {
dm_put(hc->md);
goto bad; goto bad;
}
list_add(&cell->name_list, _name_buckets + hash_str(name)); list_add(&cell->name_list, _name_buckets + hash_str(name));
if (uuid) { if (uuid) {
if (__get_uuid_cell(uuid)) { hc = __get_uuid_cell(uuid);
if (hc) {
list_del(&cell->name_list); list_del(&cell->name_list);
dm_put(hc->md);
goto bad; goto bad;
} }
list_add(&cell->uuid_list, _uuid_buckets + hash_str(uuid)); list_add(&cell->uuid_list, _uuid_buckets + hash_str(uuid));
@ -289,6 +298,7 @@ static int dm_hash_rename(const char *old, const char *new)
if (hc) { if (hc) {
DMWARN("asked to rename to an already existing name %s -> %s", DMWARN("asked to rename to an already existing name %s -> %s",
old, new); old, new);
dm_put(hc->md);
up_write(&_hash_lock); up_write(&_hash_lock);
kfree(new_name); kfree(new_name);
return -EBUSY; return -EBUSY;
@ -328,6 +338,7 @@ static int dm_hash_rename(const char *old, const char *new)
dm_table_put(table); dm_table_put(table);
} }
dm_put(hc->md);
up_write(&_hash_lock); up_write(&_hash_lock);
kfree(old_name); kfree(old_name);
return 0; return 0;
@ -611,10 +622,8 @@ static struct hash_cell *__find_device_hash_cell(struct dm_ioctl *param)
return __get_name_cell(param->name); return __get_name_cell(param->name);
md = dm_get_md(huge_decode_dev(param->dev)); md = dm_get_md(huge_decode_dev(param->dev));
if (md) { if (md)
mdptr = dm_get_mdptr(md); mdptr = dm_get_mdptr(md);
dm_put(md);
}
return mdptr; return mdptr;
} }
@ -628,7 +637,6 @@ static struct mapped_device *find_device(struct dm_ioctl *param)
hc = __find_device_hash_cell(param); hc = __find_device_hash_cell(param);
if (hc) { if (hc) {
md = hc->md; md = hc->md;
dm_get(md);
/* /*
* Sneakily write in both the name and the uuid * Sneakily write in both the name and the uuid
@ -653,6 +661,7 @@ static struct mapped_device *find_device(struct dm_ioctl *param)
static int dev_remove(struct dm_ioctl *param, size_t param_size) static int dev_remove(struct dm_ioctl *param, size_t param_size)
{ {
struct hash_cell *hc; struct hash_cell *hc;
struct mapped_device *md;
down_write(&_hash_lock); down_write(&_hash_lock);
hc = __find_device_hash_cell(param); hc = __find_device_hash_cell(param);
@ -663,8 +672,11 @@ static int dev_remove(struct dm_ioctl *param, size_t param_size)
return -ENXIO; return -ENXIO;
} }
md = hc->md;
__hash_remove(hc); __hash_remove(hc);
up_write(&_hash_lock); up_write(&_hash_lock);
dm_put(md);
param->data_size = 0; param->data_size = 0;
return 0; return 0;
} }
@ -790,7 +802,6 @@ static int do_resume(struct dm_ioctl *param)
} }
md = hc->md; md = hc->md;
dm_get(md);
new_map = hc->new_map; new_map = hc->new_map;
hc->new_map = NULL; hc->new_map = NULL;
@ -1078,6 +1089,7 @@ static int table_clear(struct dm_ioctl *param, size_t param_size)
{ {
int r; int r;
struct hash_cell *hc; struct hash_cell *hc;
struct mapped_device *md;
down_write(&_hash_lock); down_write(&_hash_lock);
@ -1096,7 +1108,9 @@ static int table_clear(struct dm_ioctl *param, size_t param_size)
param->flags &= ~DM_INACTIVE_PRESENT_FLAG; param->flags &= ~DM_INACTIVE_PRESENT_FLAG;
r = __dev_status(hc->md, param); r = __dev_status(hc->md, param);
md = hc->md;
up_write(&_hash_lock); up_write(&_hash_lock);
dm_put(md);
return r; return r;
} }