From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757794AbYD2Df3 (ORCPT ); Mon, 28 Apr 2008 23:35:29 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756545AbYD2Dez (ORCPT ); Mon, 28 Apr 2008 23:34:55 -0400 Received: from mail.suse.de ([195.135.220.2]:57607 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753785AbYD2Deb (ORCPT ); Mon, 28 Apr 2008 23:34:31 -0400 From: NeilBrown To: Andrew Morton Date: Tue, 29 Apr 2008 13:34:47 +1000 Message-Id: <1080429033447.20313@suse.de> X-face: [Gw_3E*Gng}4rRrKRYotwlE?.2|**#s9D Cc: stable@kernel.org Subject: [PATCH 001 of 9] md: Fix use after free when removing rdev via sysfs References: <20080429133104.20146.patches@notabene> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Williams rdev->mddev is no longer valid upon return from entry->store() when the 'remove' command is given. This should go in 2.6.25.stable. Cc: stable@kernel.org Signed-off-by: Dan Williams Signed-off-by: Neil Brown ### Diffstat output ./drivers/md/md.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff .prev/drivers/md/md.c ./drivers/md/md.c --- .prev/drivers/md/md.c 2008-04-29 12:27:50.000000000 +1000 +++ ./drivers/md/md.c 2008-04-29 12:27:55.000000000 +1000 @@ -2096,7 +2096,7 @@ rdev_attr_store(struct kobject *kobj, st rv = -EBUSY; else rv = entry->store(rdev, page, length); - mddev_unlock(rdev->mddev); + mddev_unlock(mddev); } return rv; }