dm cache: fix use after freeing migrations

Both free_io_migration() and issue_discard() dereference a migration
that was just freed.  Fix those by saving off the migrations's cache
object before freeing the migration.  Also cleanup needless mg->cache
dereferences now that the cache object is available directly.

Fixes: e44b6a5a3c ("dm cache: move wake_waker() from free_migrations() to where it is needed")
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index e13e5edf229857a9223440c63a654c53710150cc..f9d9cc6a094bd4945502f45a10465bfed999fc5a 100644 (file)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1113,9 +1113,11 @@ static void cell_requeue(struct cache *cache, struct dm_bio_prison_cell *cell)
 
 static void free_io_migration(struct dm_cache_migration *mg)
 {
-       dec_io_migrations(mg->cache);
+       struct cache *cache = mg->cache;
+
+       dec_io_migrations(cache);
        free_migration(mg);
-       wake_worker(mg->cache);
+       wake_worker(cache);
 }
 
 static void migration_failure(struct dm_cache_migration *mg)
@@ -1342,17 +1344,18 @@ static void issue_discard(struct dm_cache_migration *mg)
 {
        dm_dblock_t b, e;
        struct bio *bio = mg->new_ocell->holder;
+       struct cache *cache = mg->cache;
 
-       calc_discard_block_range(mg->cache, bio, &b, &e);
+       calc_discard_block_range(cache, bio, &b, &e);
        while (b != e) {
-               set_discard(mg->cache, b);
+               set_discard(cache, b);
                b = to_dblock(from_dblock(b) + 1);
        }
 
        bio_endio(bio, 0);
-       cell_defer(mg->cache, mg->new_ocell, false);
+       cell_defer(cache, mg->new_ocell, false);
        free_migration(mg);
-       wake_worker(mg->cache);
+       wake_worker(cache);
 }
 
 static void issue_copy_or_discard(struct dm_cache_migration *mg)