From bfc5ecdf48b529f6a2bd98ba26bfac39ca8cd8a5 Mon Sep 17 00:00:00 2001 From: Alasdair G Kergon Date: Wed, 8 Nov 2006 17:44:42 -0800 Subject: [PATCH] [PATCH] dm: fix find_device race There is a race between dev_create() and find_device(). If the mdptr has not yet been stored against a device, find_device() needs to behave as though no device was found. It already returns NULL, but there is a dm_put() missing: it must drop the reference dm_get_md() took. The bug was introduced by dm-fix-mapped-device-ref-counting.patch. It manifests itself if another dm ioctl attempts to reference a newly-created device while the device creation ioctl is still running. The consequence is that the device cannot be removed until the machine is rebooted. Certain udev configurations can lead to this happening. Signed-off-by: Alasdair G Kergon Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/md/dm-ioctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index d13bb15a8a02..4510ad8f971c 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -606,9 +606,14 @@ static struct hash_cell *__find_device_hash_cell(struct dm_ioctl *param) return __get_name_cell(param->name); md = dm_get_md(huge_decode_dev(param->dev)); - if (md) - mdptr = dm_get_mdptr(md); + if (!md) + goto out; + mdptr = dm_get_mdptr(md); + if (!mdptr) + dm_put(md); + +out: return mdptr; }