ae9da83f6d
This patch fixes a bd_mount_sem counter corruption bug in device-mapper.
thaw_bdev() should be called only when freeze_bdev() was called for the
device.
Otherwise, thaw_bdev() will up bd_mount_sem and corrupt the semaphore counter.
struct block_device with the corrupted semaphore may remain in slab cache
and be reused later.
Attached patch will fix it by calling unlock_fs() instead.
unlock_fs() will determine whether it should call thaw_bdev()
by checking the device is frozen or not.
Easy reproducer is:
#!/bin/sh
while [ 1 ]; do
dmsetup --notable create a
dmsetup --nolockfs suspend a
dmsetup remove a
done
It's not easy to see the effect of corrupted semaphore.
So I have tested with putting printk below in bdev_alloc_inode():
if (atomic_read(&ei->bdev.bd_mount_sem.count) != 1)
printk(KERN_DEBUG "Incorrect semaphore count = %d (%p)\n",
atomic_read(&ei->bdev.bd_mount_sem.count),
&ei->bdev);
Without the patch, I saw something like:
Incorrect semaphore count = 17 (f2ab91c0)
With the patch, the message didn't appear.
The bug was introduced in 2.6.16 with this bug fix:
commit
|
||
---|---|---|
.. | ||
raid6test | ||
.gitignore | ||
bitmap.c | ||
dm-bio-list.h | ||
dm-bio-record.h | ||
dm-crypt.c | ||
dm-delay.c | ||
dm-emc.c | ||
dm-exception-store.c | ||
dm-hw-handler.c | ||
dm-hw-handler.h | ||
dm-io.c | ||
dm-io.h | ||
dm-ioctl.c | ||
dm-linear.c | ||
dm-log.c | ||
dm-log.h | ||
dm-mpath-rdac.c | ||
dm-mpath.c | ||
dm-mpath.h | ||
dm-path-selector.c | ||
dm-path-selector.h | ||
dm-raid1.c | ||
dm-round-robin.c | ||
dm-snap.c | ||
dm-snap.h | ||
dm-stripe.c | ||
dm-table.c | ||
dm-target.c | ||
dm-zero.c | ||
dm.c | ||
dm.h | ||
faulty.c | ||
Kconfig | ||
kcopyd.c | ||
kcopyd.h | ||
linear.c | ||
Makefile | ||
md.c | ||
mktables.c | ||
multipath.c | ||
raid0.c | ||
raid1.c | ||
raid5.c | ||
raid6.h | ||
raid6algos.c | ||
raid6altivec.uc | ||
raid6int.uc | ||
raid6mmx.c | ||
raid6recov.c | ||
raid6sse1.c | ||
raid6sse2.c | ||
raid6x86.h | ||
raid10.c | ||
unroll.pl |