dm rq: cope with DM device destruction while in dm_old_request_fn()
authorMike Snitzer <snitzer@redhat.com>
Wed, 25 Jan 2017 15:24:52 +0000 (16:24 +0100)
committerMike Snitzer <snitzer@redhat.com>
Fri, 3 Feb 2017 15:18:43 +0000 (10:18 -0500)
Fixes a crash in dm_table_find_target() due to a NULL struct dm_table
being passed from dm_old_request_fn() that races with DM device
destruction.

Reported-by: artem@flashgrid.io
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
drivers/md/dm-rq.c

index 9d7275fb541ad422b171cbe0ee43335e3e1efc27..6e702fc69a83cb27f6bc1792d4871ad18d708f71 100644 (file)
@@ -779,6 +779,10 @@ static void dm_old_request_fn(struct request_queue *q)
                int srcu_idx;
                struct dm_table *map = dm_get_live_table(md, &srcu_idx);
 
+               if (unlikely(!map)) {
+                       dm_put_live_table(md, srcu_idx);
+                       return;
+               }
                ti = dm_table_find_target(map, pos);
                dm_put_live_table(md, srcu_idx);
        }