path: root/mm/backing-dev.c
diff options
authorJens Axboe <jens.axboe@oracle.com>2009-10-29 11:46:12 +0100
committerJens Axboe <jens.axboe@oracle.com>2009-10-29 11:46:12 +0100
commit592b09a42fc3ae6737a0f3ecf4fee42ecd0296f8 (patch)
treed06ca7165c5dfc5224910993b36a50e54a896831 /mm/backing-dev.c
parentblock: use after free bug in __blkdev_get (diff)
backing-dev: ensure that a removed bdi no longer has super_block referencing it
When the bdi is being removed, we have to ensure that no super_blocks currently have that cached in sb->s_bdi. Normally this is ensured by the sb having a longer life span than the bdi, but if the device is suddenly yanked, we have to kill this reference. sb->s_bdi is pointed to freed memory at that point. This fixes a problem with sync(1) hanging when a USB stick is pulled without cleanly umounting it first. Reported-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Diffstat (limited to '')
1 files changed, 16 insertions, 0 deletions
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 5a37e2055717..1065b715ef64 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -610,6 +610,21 @@ static void bdi_wb_shutdown(struct backing_dev_info *bdi)
+ * This bdi is going away now, make sure that no super_blocks point to it
+ */
+static void bdi_prune_sb(struct backing_dev_info *bdi)
+ struct super_block *sb;
+ spin_lock(&sb_lock);
+ list_for_each_entry(sb, &super_blocks, s_list) {
+ if (sb->s_bdi == bdi)
+ sb->s_bdi = NULL;
+ }
+ spin_unlock(&sb_lock);
void bdi_unregister(struct backing_dev_info *bdi)
if (bdi->dev) {
@@ -682,6 +697,7 @@ void bdi_destroy(struct backing_dev_info *bdi)
+ bdi_prune_sb(bdi);
for (i = 0; i < NR_BDI_STAT_ITEMS; i++)