diff options
| author | OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> | 2006-04-18 13:18:31 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@suse.de> | 2006-04-18 13:18:31 -0400 |
| commit | be3b075354e170368a0d29558cae492205e80a64 (patch) | |
| tree | b37af91addb8d214b9010774f5cf31538a501267 | |
| parent | dbecf3ab40b5a6cc4499543778cd9f9682c0abad (diff) | |
[PATCH] cfq: Further rbtree traversal and cfq_exit_queue() race fix
In current code, we are re-reading cic->key after dead cic->key check.
So, in theory, it may really re-read *after* cfq_exit_queue() seted NULL.
To avoid race, we copy it to stack, then use it. With this change, I
guess gcc will assign cic->key to a register or stack, and it wouldn't
be re-readed.
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Jens Axboe <axboe@suse.de>
| -rw-r--r-- | block/cfq-iosched.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c index 246feae16c60..2540dfaa3e38 100644 --- a/block/cfq-iosched.c +++ b/block/cfq-iosched.c | |||
| @@ -1487,20 +1487,22 @@ cfq_cic_rb_lookup(struct cfq_data *cfqd, struct io_context *ioc) | |||
| 1487 | { | 1487 | { |
| 1488 | struct rb_node *n; | 1488 | struct rb_node *n; |
| 1489 | struct cfq_io_context *cic; | 1489 | struct cfq_io_context *cic; |
| 1490 | void *key = cfqd; | 1490 | void *k, *key = cfqd; |
| 1491 | 1491 | ||
| 1492 | restart: | 1492 | restart: |
| 1493 | n = ioc->cic_root.rb_node; | 1493 | n = ioc->cic_root.rb_node; |
| 1494 | while (n) { | 1494 | while (n) { |
| 1495 | cic = rb_entry(n, struct cfq_io_context, rb_node); | 1495 | cic = rb_entry(n, struct cfq_io_context, rb_node); |
| 1496 | if (unlikely(!cic->key)) { | 1496 | /* ->key must be copied to avoid race with cfq_exit_queue() */ |
| 1497 | k = cic->key; | ||
| 1498 | if (unlikely(!k)) { | ||
| 1497 | cfq_drop_dead_cic(ioc, cic); | 1499 | cfq_drop_dead_cic(ioc, cic); |
| 1498 | goto restart; | 1500 | goto restart; |
| 1499 | } | 1501 | } |
| 1500 | 1502 | ||
| 1501 | if (key < cic->key) | 1503 | if (key < k) |
| 1502 | n = n->rb_left; | 1504 | n = n->rb_left; |
| 1503 | else if (key > cic->key) | 1505 | else if (key > k) |
| 1504 | n = n->rb_right; | 1506 | n = n->rb_right; |
| 1505 | else | 1507 | else |
| 1506 | return cic; | 1508 | return cic; |
| @@ -1516,6 +1518,7 @@ cfq_cic_link(struct cfq_data *cfqd, struct io_context *ioc, | |||
| 1516 | struct rb_node **p; | 1518 | struct rb_node **p; |
| 1517 | struct rb_node *parent; | 1519 | struct rb_node *parent; |
| 1518 | struct cfq_io_context *__cic; | 1520 | struct cfq_io_context *__cic; |
| 1521 | void *k; | ||
| 1519 | 1522 | ||
| 1520 | cic->ioc = ioc; | 1523 | cic->ioc = ioc; |
| 1521 | cic->key = cfqd; | 1524 | cic->key = cfqd; |
| @@ -1527,14 +1530,16 @@ restart: | |||
| 1527 | while (*p) { | 1530 | while (*p) { |
| 1528 | parent = *p; | 1531 | parent = *p; |
| 1529 | __cic = rb_entry(parent, struct cfq_io_context, rb_node); | 1532 | __cic = rb_entry(parent, struct cfq_io_context, rb_node); |
| 1530 | if (unlikely(!__cic->key)) { | 1533 | /* ->key must be copied to avoid race with cfq_exit_queue() */ |
| 1534 | k = __cic->key; | ||
| 1535 | if (unlikely(!k)) { | ||
| 1531 | cfq_drop_dead_cic(ioc, cic); | 1536 | cfq_drop_dead_cic(ioc, cic); |
| 1532 | goto restart; | 1537 | goto restart; |
| 1533 | } | 1538 | } |
| 1534 | 1539 | ||
| 1535 | if (cic->key < __cic->key) | 1540 | if (cic->key < k) |
| 1536 | p = &(*p)->rb_left; | 1541 | p = &(*p)->rb_left; |
| 1537 | else if (cic->key > __cic->key) | 1542 | else if (cic->key > k) |
| 1538 | p = &(*p)->rb_right; | 1543 | p = &(*p)->rb_right; |
| 1539 | else | 1544 | else |
| 1540 | BUG(); | 1545 | BUG(); |