==> Regarding [PATCH] dio: lock refcount operations; Zach Brown <[email protected]> adds:
zach.brown> dio: lock refcount operations The wait_for_more_bios() function
zach.brown> name was poorly chosen. While looking to clean it up it I
zach.brown> noticed that the dio struct refcounting between the bio
zach.brown> completion and dio submission paths was racey.
zach.brown> The bio submission path was simply freeing the dio struct if
zach.brown> atomic_dec_and_test() indicated that it dropped the final
zach.brown> reference.
zach.brown> The aio bio completion path was dereferencing its dio struct
zach.brown> pointer *after dropping its reference* based on the remaining
zach.brown> number of references.
zach.brown> These two paths could race and result in the aio bio completion
zach.brown> path dereferencing a freed dio, though this was not observed in
zach.brown> the wild.
I don't believe that this can happen. dio_bio_end_aio will only reference
the dio if (remaining == 1 && waiter_holds_ref). If the waiter is holding
the reference, then the bio submission path would not have dropped its
reference yet!
-Jeff
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
