Home » Mailing list archives » git-commits-head » 2008 » May » 8

cfq-iosched: fix RCU race in the cfq io_context destructor handling

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Linux Kernel Mailing List <linux-kernel@...>
To: <git-commits-head@...>
Subject: cfq-iosched: fix RCU race in the cfq io_context destructor handling
Date: Thursday, May 8, 2008 - 5:59 pm

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=07416d...
Commit:     07416d29bcf608257f1e5280642dcbe0021518a3
Parent:     aa94b5371f6f898558d9fa5690cc6e4bf917a572
Author:     Jens Axboe <jens.axboe@oracle.com>
AuthorDate: Wed May 7 09:17:12 2008 +0200
Committer:  Jens Axboe <jens.axboe@oracle.com>
CommitDate: Wed May 7 09:28:57 2008 +0200

    cfq-iosched: fix RCU race in the cfq io_context destructor handling
    
    put_io_context() drops the RCU read lock before calling into cfq_dtor(),
    however we need to hold off freeing there before grabbing and
    dereferencing the first object on the list.
    
    So extend the rcu_read_lock() scope to cover the calling of cfq_dtor(),
    and optimize cfq_free_io_context() to use a new variant for
    call_for_each_cic() that assumes the RCU read lock is already held.
    
    Hit in the wild by Alexey Dobriyan <adobriyan@gmail.com>
    
    Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
---
 block/blk-ioc.c     |    2 +-
 block/cfq-iosched.c |   19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index e34df7c..012f065 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c
@@ -41,8 +41,8 @@ int put_io_context(struct io_context *ioc)
 		rcu_read_lock();
 		if (ioc->aic && ioc->aic->dtor)
 			ioc->aic->dtor(ioc->aic);
-		rcu_read_unlock();
 		cfq_dtor(ioc);
+		rcu_read_unlock();
 
 		kmem_cache_free(iocontext_cachep, ioc);
 		return 1;
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
index f4e1006..7f909d2 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -1142,6 +1142,17 @@ static void cfq_put_queue(struct cfq_queue *cfqq)
 	kmem_cache_free(cfq_pool, cfqq);
 }
 
+static void
+__call_for_each_cic(struct io_context *ioc,
+		    void (*func)(struct io_context *, struct cfq_io_context *))
+{
+	struct cfq_io_context *cic;
+	struct hlist_node *n;
+
+	hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list)
+		func(ioc, cic);
+}
+
 /*
  * Call func for each cic attached to this ioc.
  */
@@ -1149,12 +1160,8 @@ static void
 call_for_each_cic(struct io_context *ioc,
 		  void (*func)(struct io_context *, struct cfq_io_context *))
 {
-	struct cfq_io_context *cic;
-	struct hlist_node *n;
-
 	rcu_read_lock();
-	hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list)
-		func(ioc, cic);
+	__call_for_each_cic(ioc, func);
 	rcu_read_unlock();
 }
 
@@ -1198,7 +1205,7 @@ static void cfq_free_io_context(struct io_context *ioc)
 	 * should be ok to iterate over the known list, we will see all cic's
 	 * since no new ones are added.
 	 */
-	call_for_each_cic(ioc, cic_free_func);
+	__call_for_each_cic(ioc, cic_free_func);
 }
 
 static void cfq_exit_cfqq(struct cfq_data *cfqd, struct cfq_queue *cfqq)
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
cfq-iosched: fix RCU race in the cfq io_context destructor h..., Linux Kernel Mailing List..., (Thu May 8, 5:59 pm)