• Mikulas Patocka's avatar
    dm snapshot: fix header corruption race on invalidation · 61578dcd
    Mikulas Patocka authored
    If a persistent snapshot fills up, a race can corrupt the on-disk header
    which causes a crash on any future attempt to activate the snapshot
    (typically while booting).  This patch fixes the race.
    
    When the snapshot overflows, __invalidate_snapshot is called, which calls
    snapshot store method drop_snapshot. It goes to persistent_drop_snapshot that
    calls write_header. write_header constructs the new header in the "area"
    location.
    
    Concurrently, an existing kcopyd job may finish, call copy_callback
    and commit_exception method, that goes to persistent_commit_exception.
    persistent_commit_exception doesn't do locking, relying on the fact that
    callbacks are single-threaded, but it can race with snapshot invalidation and
    overwrite the header that is just being written while the snapshot is being
    invalidated.
    
    The result of this race is a corrupted header being written that can
    lead to a crash on further reactivation (if chunk_size is zero in the
    corrupted header).
    
    The fix is to use separate memory areas for each.
    
    See the bug: https://bugzilla.redhat.com/show_bug.cgi?id=461506
    
    Cc: stable@kernel.org
    Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
    61578dcd
dm-snap-persistent.c 17.4 KB