From: Jonathan Brassow The persistent exception store destructor does not properly account for all conditions in which it can be called. If it is called after 'ctr' but before 'read_metadata' (e.g. if something else in 'snapshot_ctr' fails) then it will attempt to free areas of memory that haven't been allocated yet. Signed-off-by: Jonathan Brassow Signed-off-by: Alasdair G Kergon --- drivers/md/dm-snap-persistent.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) Index: linux-2.6.29/drivers/md/dm-snap-persistent.c =================================================================== --- linux-2.6.29.orig/drivers/md/dm-snap-persistent.c 2009-04-02 16:49:52.000000000 +0100 +++ linux-2.6.29/drivers/md/dm-snap-persistent.c 2009-04-02 16:49:54.000000000 +0100 @@ -162,9 +162,12 @@ static int alloc_area(struct pstore *ps) static void free_area(struct pstore *ps) { - vfree(ps->area); + if (ps->area) + vfree(ps->area); ps->area = NULL; - vfree(ps->zero_area); + + if (ps->zero_area) + vfree(ps->zero_area); ps->zero_area = NULL; } @@ -482,9 +485,16 @@ static void persistent_dtr(struct dm_exc struct pstore *ps = get_info(store); destroy_workqueue(ps->metadata_wq); - dm_io_client_destroy(ps->io_client); - vfree(ps->callbacks); + + /* Created in read_header */ + if (ps->io_client) + dm_io_client_destroy(ps->io_client); free_area(ps); + + /* Allocated in persistent_read_metadata */ + if (ps->callbacks) + vfree(ps->callbacks); + kfree(ps); } @@ -661,7 +671,7 @@ static int persistent_ctr(struct dm_exce struct pstore *ps; /* allocate the pstore */ - ps = kmalloc(sizeof(*ps), GFP_KERNEL); + ps = kzalloc(sizeof(*ps), GFP_KERNEL); if (!ps) return -ENOMEM;