• Mikulas Patocka's avatar
    dm snapshot: fix a possible invalid memory access on unload · e41f3029
    Mikulas Patocka authored
    commit 22aa66a3 upstream.
    
    When the snapshot target is unloaded, snapshot_dtr() waits until
    pending_exceptions_count drops to zero.  Then, it destroys the snapshot.
    Therefore, the function that decrements pending_exceptions_count
    should not touch the snapshot structure after the decrement.
    
    pending_complete() calls free_pending_exception(), which decrements
    pending_exceptions_count, and then it performs up_write(&s->lock) and it
    calls retry_origin_bios() which dereferences  s->origin.  These two
    memory accesses to the fields of the snapshot may touch the dm_snapshot
    struture after it is freed.
    
    This patch moves the call to free_pending_exception() to the end of
    pending_complete(), so that the snapshot will not be destroyed while
    pending_complete() is in progress.
    Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    e41f3029
dm-snap.c 54.4 KB