diff options
author | OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> | 2006-04-18 19:18:31 +0200 |
---|---|---|
committer | Jens Axboe <axboe@suse.de> | 2006-04-18 19:18:31 +0200 |
commit | be3b075354e170368a0d29558cae492205e80a64 (patch) | |
tree | b37af91addb8d214b9010774f5cf31538a501267 /block/cfq-iosched.c | |
parent | dbecf3ab40b5a6cc4499543778cd9f9682c0abad (diff) | |
download | kernel_samsung_smdk4412-be3b075354e170368a0d29558cae492205e80a64.tar.gz kernel_samsung_smdk4412-be3b075354e170368a0d29558cae492205e80a64.tar.bz2 kernel_samsung_smdk4412-be3b075354e170368a0d29558cae492205e80a64.zip |
[PATCH] cfq: Further rbtree traversal and cfq_exit_queue() race fix
In current code, we are re-reading cic->key after dead cic->key check.
So, in theory, it may really re-read *after* cfq_exit_queue() seted NULL.
To avoid race, we copy it to stack, then use it. With this change, I
guess gcc will assign cic->key to a register or stack, and it wouldn't
be re-readed.
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Jens Axboe <axboe@suse.de>
Diffstat (limited to 'block/cfq-iosched.c')
-rw-r--r-- | block/cfq-iosched.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c index 246feae16c6..2540dfaa3e3 100644 --- a/block/cfq-iosched.c +++ b/block/cfq-iosched.c @@ -1487,20 +1487,22 @@ cfq_cic_rb_lookup(struct cfq_data *cfqd, struct io_context *ioc) { struct rb_node *n; struct cfq_io_context *cic; - void *key = cfqd; + void *k, *key = cfqd; restart: n = ioc->cic_root.rb_node; while (n) { cic = rb_entry(n, struct cfq_io_context, rb_node); - if (unlikely(!cic->key)) { + /* ->key must be copied to avoid race with cfq_exit_queue() */ + k = cic->key; + if (unlikely(!k)) { cfq_drop_dead_cic(ioc, cic); goto restart; } - if (key < cic->key) + if (key < k) n = n->rb_left; - else if (key > cic->key) + else if (key > k) n = n->rb_right; else return cic; @@ -1516,6 +1518,7 @@ cfq_cic_link(struct cfq_data *cfqd, struct io_context *ioc, struct rb_node **p; struct rb_node *parent; struct cfq_io_context *__cic; + void *k; cic->ioc = ioc; cic->key = cfqd; @@ -1527,14 +1530,16 @@ restart: while (*p) { parent = *p; __cic = rb_entry(parent, struct cfq_io_context, rb_node); - if (unlikely(!__cic->key)) { + /* ->key must be copied to avoid race with cfq_exit_queue() */ + k = __cic->key; + if (unlikely(!k)) { cfq_drop_dead_cic(ioc, cic); goto restart; } - if (cic->key < __cic->key) + if (cic->key < k) p = &(*p)->rb_left; - else if (cic->key > __cic->key) + else if (cic->key > k) p = &(*p)->rb_right; else BUG(); |