aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJens Axboe <jens.axboe@oracle.com>2008-05-07 03:17:12 -0400
committerJens Axboe <jens.axboe@oracle.com>2008-05-07 03:28:57 -0400
commit07416d29bcf608257f1e5280642dcbe0021518a3 (patch)
tree6b88b2b043cac10b34234320c68e06848c00127c
parentaa94b5371f6f898558d9fa5690cc6e4bf917a572 (diff)
cfq-iosched: fix RCU race in the cfq io_context destructor handling
put_io_context() drops the RCU read lock before calling into cfq_dtor(), however we need to hold off freeing there before grabbing and dereferencing the first object on the list. So extend the rcu_read_lock() scope to cover the calling of cfq_dtor(), and optimize cfq_free_io_context() to use a new variant for call_for_each_cic() that assumes the RCU read lock is already held. Hit in the wild by Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
-rw-r--r--block/blk-ioc.c2
-rw-r--r--block/cfq-iosched.c19
2 files changed, 14 insertions, 7 deletions
diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index e34df7c9fc36..012f065ac8e2 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
@@ -41,8 +41,8 @@ int put_io_context(struct io_context *ioc)
41 rcu_read_lock(); 41 rcu_read_lock();
42 if (ioc->aic && ioc->aic->dtor) 42 if (ioc->aic && ioc->aic->dtor)
43 ioc->aic->dtor(ioc->aic); 43 ioc->aic->dtor(ioc->aic);
44 rcu_read_unlock();
45 cfq_dtor(ioc); 44 cfq_dtor(ioc);
45 rcu_read_unlock();
46 46
47 kmem_cache_free(iocontext_cachep, ioc); 47 kmem_cache_free(iocontext_cachep, ioc);
48 return 1; 48 return 1;
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
index f4e1006c253d..7f909d2f4886 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -1142,6 +1142,17 @@ static void cfq_put_queue(struct cfq_queue *cfqq)
1142 kmem_cache_free(cfq_pool, cfqq); 1142 kmem_cache_free(cfq_pool, cfqq);
1143} 1143}
1144 1144
1145static void
1146__call_for_each_cic(struct io_context *ioc,
1147 void (*func)(struct io_context *, struct cfq_io_context *))
1148{
1149 struct cfq_io_context *cic;
1150 struct hlist_node *n;
1151
1152 hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list)
1153 func(ioc, cic);
1154}
1155
1145/* 1156/*
1146 * Call func for each cic attached to this ioc. 1157 * Call func for each cic attached to this ioc.
1147 */ 1158 */
@@ -1149,12 +1160,8 @@ static void
1149call_for_each_cic(struct io_context *ioc, 1160call_for_each_cic(struct io_context *ioc,
1150 void (*func)(struct io_context *, struct cfq_io_context *)) 1161 void (*func)(struct io_context *, struct cfq_io_context *))
1151{ 1162{
1152 struct cfq_io_context *cic;
1153 struct hlist_node *n;
1154
1155 rcu_read_lock(); 1163 rcu_read_lock();
1156 hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list) 1164 __call_for_each_cic(ioc, func);
1157 func(ioc, cic);
1158 rcu_read_unlock(); 1165 rcu_read_unlock();
1159} 1166}
1160 1167
@@ -1198,7 +1205,7 @@ static void cfq_free_io_context(struct io_context *ioc)
1198 * should be ok to iterate over the known list, we will see all cic's 1205 * should be ok to iterate over the known list, we will see all cic's
1199 * since no new ones are added. 1206 * since no new ones are added.
1200 */ 1207 */
1201 call_for_each_cic(ioc, cic_free_func); 1208 __call_for_each_cic(ioc, cic_free_func);
1202} 1209}
1203 1210
1204static void cfq_exit_cfqq(struct cfq_data *cfqd, struct cfq_queue *cfqq) 1211static void cfq_exit_cfqq(struct cfq_data *cfqd, struct cfq_queue *cfqq)