Avoid dereferencing a 'request_queue' after last close.
On the last close of an 'md' device which as been stopped, the device is destroyed and in particular the request_queue is freed. The free is done in a separate thread so it might happen a short time later. __blkdev_put calls bdev_inode_switch_bdi *after* ->release has been called. Since commit f758eeab bdev_inode_switch_bdi will dereference the 'old' bdi, which lives inside a request_queue, to get a spin lock. This causes the last close on an md device to sometime take a spin_lock which lives in freed memory - which results in an oops. So move the called to bdev_inode_switch_bdi before the call to ->release. Cc: Christoph Hellwig <email@example.com> Cc: Hugh Dickins <firstname.lastname@example.org> Cc: Andrew Morton <email@example.com> Cc: Wu Fengguang <firstname.lastname@example.org> Acked-by: Wu Fengguang <email@example.com> Cc: firstname.lastname@example.org Signed-off-by: NeilBrown <email@example.com>
Showing with 5 additions and 2 deletions