[PATCH] 2.6.12-rc6: fix __rh_alloc()/rh_update_states() race in dm-raid1.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

the attached patch fixes the bug in dm-raid1.c that
the region returned by __rh_alloc() may be freed while
it's in use.

__rh_alloc() write-unlocks the hash_lock after inserting the new region.
Though it read-locks the hash-lock just after that, it's possible
that the region was reclaimed by rh_update_states() as the region
was clean at the time.

   CPU0                                  CPU1
   -----------------------------------------------------------------------
   __rh_alloc()
     write_lock(hash_lock)
     <insert new region to clean list>
     write_unlock(hash_lock)
                                         rh_update_states()
                                           write_lock(hash_lock)
                                           <move clean regions to freeable list>
                                           write_unlock(hash_lock)
                                           <free regions in the freeable list>
     read_lock(hash_lock)
     <return the region>

Signed-off-by: Jun'ichi Nomura <[email protected]>

--- kernel/drivers/md/dm-raid1.c.orig	2005-06-16 07:13:50.610325768 -0400
+++ kernel/drivers/md/dm-raid1.c	2005-06-16 10:34:12.510719112 -0400
@@ -269,9 +269,12 @@ static inline struct region *__rh_find(s
 {
 	struct region *reg;
 
+retry:
 	reg = __rh_lookup(rh, region);
-	if (!reg)
+	if (!reg) {
 		reg = __rh_alloc(rh, region);
+		goto retry;
+	}
 
 	return reg;
 }

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux