]> www.pilppa.org Git - linux-2.6-omap-h63xx.git/blobdiff - drivers/md/md.c
projects / linux-2.6-omap-h63xx.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
md: fix use-after-free bug when dropping an rdev from an md array
[linux-2.6-omap-h63xx.git] / drivers / md / md.c
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 08e0f8d672c3b712ee15e13d73f91c14e732f6c1..6cdd1b4faca69df171161392d4c4f5c72e6b8981 100644 (file)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1419,10 +1419,11 @@ static int bind_rdev_to_array(mdk_rdev_t * rdev, mddev_t * mddev)
        return err;
 }
 
-static void delayed_delete(struct work_struct *ws)
+static void md_delayed_delete(struct work_struct *ws)
 {
        mdk_rdev_t *rdev = container_of(ws, mdk_rdev_t, del_work);
        kobject_del(&rdev->kobj);
+       kobject_put(&rdev->kobj);
 }
 
 static void unbind_rdev_from_array(mdk_rdev_t * rdev)
@@ -1441,7 +1442,8 @@ static void unbind_rdev_from_array(mdk_rdev_t * rdev)
        /* We need to delay this, otherwise we can deadlock when
         * writing to 'remove' to "dev/state"
         */
-       INIT_WORK(&rdev->del_work, delayed_delete);
+       INIT_WORK(&rdev->del_work, md_delayed_delete);
+       kobject_get(&rdev->kobj);
        schedule_work(&rdev->del_work);
 }
 
@@ -3686,7 +3688,7 @@ static int do_md_stop(mddev_t * mddev, int mode)
                                sysfs_remove_link(&mddev->kobj, nm);
                        }
 
-               /* make sure all delayed_delete calls have finished */
+               /* make sure all md_delayed_delete calls have finished */
                flush_scheduled_work();
 
                export_array(mddev);
Unnamed repository; edit this file 'description' to name the repository.