Hello,
the attached patch fixes the bug in dm-raid1.c that
the region returned by __rh_alloc() may be freed while
it's in use.
__rh_alloc() write-unlocks the hash_lock after inserting the new region.
Though it read-locks the hash-lock just after that, it's possible
that the region was reclaimed by rh_update_states() as the region
was clean at the time.
CPU0 CPU1
-----------------------------------------------------------------------
__rh_alloc()
write_lock(hash_lock)
<insert new region to clean list>
write_unlock(hash_lock)
rh_update_states()
write_lock(hash_lock)
<move clean regions to freeable list>
write_unlock(hash_lock)
<free regions in the freeable list>
read_lock(hash_lock)
<return the region>
Signed-off-by: Jun'ichi Nomura <j-nomura@xxxxxxxxxxxxx>
--- kernel/drivers/md/dm-raid1.c.orig 2005-06-16 07:13:50.610325768 -0400
+++ kernel/drivers/md/dm-raid1.c 2005-06-16 10:34:12.510719112 -0400
@@ -269,9 +269,12 @@ static inline struct region *__rh_find(s
{
struct region *reg;
+retry:
reg = __rh_lookup(rh, region);
- if (!reg)
+ if (!reg) {
reg = __rh_alloc(rh, region);
+ goto retry;
+ }
return reg;
}
