From patchwork Wed Mar 4 21:33:56 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonthan Brassow X-Patchwork-Id: 9928 X-Patchwork-Delegate: agk@redhat.com Received: from hormel.redhat.com (hormel1.redhat.com [209.132.177.33]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n24LY01C030283 for ; Wed, 4 Mar 2009 21:34:01 GMT Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [10.8.4.110]) by hormel.redhat.com (Postfix) with ESMTP id 69E25618EB6; Wed, 4 Mar 2009 16:34:00 -0500 (EST) Received: from int-mx2.corp.redhat.com (nat-pool.util.phx.redhat.com [10.8.5.200]) by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP id n24LXx8Y019211 for ; Wed, 4 Mar 2009 16:33:59 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n24LXwe2031061 for ; Wed, 4 Mar 2009 16:33:58 -0500 Received: from [10.15.80.1] (hydrogen.msp.redhat.com [10.15.80.1]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n24LXvGd026805 for ; Wed, 4 Mar 2009 16:33:58 -0500 From: Jonathan Brassow To: dm-devel@redhat.com Date: Wed, 04 Mar 2009 15:33:56 -0600 Message-Id: <1236202436.28664.8.camel@hydrogen.msp.redhat.com> Mime-Version: 1.0 X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 X-loop: dm-devel@redhat.com Subject: [dm-devel] [PATCH] dm-snap-persistent-fix-dtr-cleanup.patch X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.5 Precedence: junk Reply-To: device-mapper development List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com Prerequisites for this patch are: 1) dm-exception-store-introduce-registry.patch 2) dm-exception-store-move-dm_target-pointer.patch 3) dm-exception-store-move-chunk_fields.patch 4) dm-exception-store-move-cow-pointer.patch 5) dm-snapshot-remove-dm_snap-header-use.patch 6) dm-snapshot-remove-dm_snap-header.patch 7) dm-snapshot-use-DMEMIT-macro-for-status.patch 8) dm-snapshot-move-ctr-parsing-to-exception-store.patch 9) dm-snapshot-move-status-to-exception-store.patch 10) dm-exception-store-generalize-table-args.patch 11) dm-snapshot-new-ctr-table-format.patch 12) dm-snapshot-cleanup.patch 13) dm-snap-minor-fix.patch 14) dm-snap-fix-status-output.patch brassow The persistent exception store destructor does not properly account for all conditions in which it can be called. If it is called after 'ctr' but before 'read_metadata' - like if something else in 'snapshot_ctr' fails - then it will attempt to free areas of memory that haven't been allocated yet. Signed-off-by: Jonathan Brassow --- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel Index: linux-2.6/drivers/md/dm-snap-persistent.c =================================================================== --- linux-2.6.orig/drivers/md/dm-snap-persistent.c +++ linux-2.6/drivers/md/dm-snap-persistent.c @@ -162,9 +162,12 @@ static int alloc_area(struct pstore *ps) static void free_area(struct pstore *ps) { - vfree(ps->area); + if (ps->area) + vfree(ps->area); ps->area = NULL; - vfree(ps->zero_area); + + if (ps->zero_area) + vfree(ps->zero_area); ps->zero_area = NULL; } @@ -481,10 +484,17 @@ static void persistent_dtr(struct dm_exc { struct pstore *ps = get_info(store); - destroy_workqueue(ps->metadata_wq); - dm_io_client_destroy(ps->io_client); - vfree(ps->callbacks); + /* Created in read_header */ + if (ps->io_client) + dm_io_client_destroy(ps->io_client); free_area(ps); + + /* Allocated in persistent_read_metadata */ + if (ps->callbacks) + vfree(ps->callbacks); + + /* Don't need to check these, because they are done in ctr */ + destroy_workqueue(ps->metadata_wq); kfree(ps); } @@ -661,7 +671,7 @@ static int persistent_ctr(struct dm_exce struct pstore *ps; /* allocate the pstore */ - ps = kmalloc(sizeof(*ps), GFP_KERNEL); + ps = kzalloc(sizeof(*ps), GFP_KERNEL); if (!ps) return -ENOMEM;