From 07416d29bcf608257f1e5280642dcbe0021518a3 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Wed, 7 May 2008 09:17:12 +0200 Subject: cfq-iosched: fix RCU race in the cfq io_context destructor handling put_io_context() drops the RCU read lock before calling into cfq_dtor(), however we need to hold off freeing there before grabbing and dereferencing the first object on the list. So extend the rcu_read_lock() scope to cover the calling of cfq_dtor(), and optimize cfq_free_io_context() to use a new variant for call_for_each_cic() that assumes the RCU read lock is already held. Hit in the wild by Alexey Dobriyan Signed-off-by: Jens Axboe --- block/blk-ioc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'block/blk-ioc.c') diff --git a/block/blk-ioc.c b/block/blk-ioc.c index e34df7c9fc36..012f065ac8e2 100644 --- a/block/blk-ioc.c +++ b/block/blk-ioc.c @@ -41,8 +41,8 @@ int put_io_context(struct io_context *ioc) rcu_read_lock(); if (ioc->aic && ioc->aic->dtor) ioc->aic->dtor(ioc->aic); - rcu_read_unlock(); cfq_dtor(ioc); + rcu_read_unlock(); kmem_cache_free(iocontext_cachep, ioc); return 1; -- cgit v1.2.2