summaryrefslogtreecommitdiffstats
path: root/drivers/md
diff options
context:
space:
mode:
authorNeilBrown <neilb@suse.de>2008-05-23 13:04:32 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2008-05-24 09:56:09 -0700
commit84255d1018c50e72c71a49f359989597d53a3f53 (patch)
tree242c639d1e110f241e802e6b0a27a670deb8b174 /drivers/md
parent80119ef5c8153e0a6cc5edf00c083dc98a9bd348 (diff)
downloadkernel-crypto-84255d1018c50e72c71a49f359989597d53a3f53.tar.gz
kernel-crypto-84255d1018c50e72c71a49f359989597d53a3f53.tar.xz
kernel-crypto-84255d1018c50e72c71a49f359989597d53a3f53.zip
md: fix possible oops when removing a bitmap from an active array
It is possible to add a write-intent bitmap to an active array, or remove the bitmap that is there. When we do with the 'quiesce' the array, which causes make_request to block in "wait_barrier()". However we are sampling the value of "mddev->bitmap" before the wait_barrier call, and using it afterwards. This can result in using a bitmap structure that has been freed. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/md')
-rw-r--r--drivers/md/raid1.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index ac409b7d83f..21629ae4668 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -773,7 +773,7 @@ static int make_request(struct request_queue *q, struct bio * bio)
r1bio_t *r1_bio;
struct bio *read_bio;
int i, targets = 0, disks;
- struct bitmap *bitmap = mddev->bitmap;
+ struct bitmap *bitmap;
unsigned long flags;
struct bio_list bl;
struct page **behind_pages = NULL;
@@ -802,6 +802,8 @@ static int make_request(struct request_queue *q, struct bio * bio)
wait_barrier(conf);
+ bitmap = mddev->bitmap;
+
disk_stat_inc(mddev->gendisk, ios[rw]);
disk_stat_add(mddev->gendisk, sectors[rw], bio_sectors(bio));