dm cache: fix use after freeing migrations

Both free_io_migration() and issue_discard() dereference a migration that was just freed. Fix those by saving off the migrations's cache object before freeing the migration. Also cleanup needless mg->cache dereferences now that the cache object is available directly. Fixes: e44b6a5 ("dm cache: move wake_waker() from free_migrations() to where it is needed") Signed-off-by: Joe Thornber <[email protected]> Signed-off-by: Mike Snitzer <[email protected]>
zubinmehta · Sep 1, 2015 · cc7da0b · cc7da0b
1 parent dc9cee5
commit cc7da0b
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
@@ -1113,9 +1113,11 @@ static void cell_requeue(struct cache *cache, struct dm_bio_prison_cell *cell)
 
 static void free_io_migration(struct dm_cache_migration *mg)
 {
-	dec_io_migrations(mg->cache);
+	struct cache *cache = mg->cache;
+
+	dec_io_migrations(cache);
 	free_migration(mg);
-	wake_worker(mg->cache);
+	wake_worker(cache);
 }
 
 static void migration_failure(struct dm_cache_migration *mg)
@@ -1342,17 +1344,18 @@ static void issue_discard(struct dm_cache_migration *mg)
 {
 	dm_dblock_t b, e;
 	struct bio *bio = mg->new_ocell->holder;
+	struct cache *cache = mg->cache;
 
-	calc_discard_block_range(mg->cache, bio, &b, &e);
+	calc_discard_block_range(cache, bio, &b, &e);
 	while (b != e) {
-		set_discard(mg->cache, b);
+		set_discard(cache, b);
 		b = to_dblock(from_dblock(b) + 1);
 	}
 
 	bio_endio(bio, 0);
-	cell_defer(mg->cache, mg->new_ocell, false);
+	cell_defer(cache, mg->new_ocell, false);
 	free_migration(mg);
-	wake_worker(mg->cache);
+	wake_worker(cache);
 }
 
 static void issue_copy_or_discard(struct dm_cache_migration *mg)