after write_unlock_irq and just before read_lock, there's a small window which enables a race causing deletion of the region struct in function rh_update_states(). then in rh_dec(), the __rh_lookup() will return null, causing kernel panic.
[root@darkstar md]# diff -u dm-raid1.orig.c dm-raid1.c
--- dm-raid1.orig.c 2005-06-16 14:17:04.000000000 +0800
+++ dm-raid1.c 2005-06-17 10:02:04.000000000 +0800
@@ -252,15 +252,16 @@
else {
__rh_insert(rh, nreg);
- if (nreg->state == RH_CLEAN) {
- spin_lock(&rh->region_lock);
- list_add(&nreg->list, &rh->clean_regions);
- spin_unlock(&rh->region_lock);
- }
reg = nreg;
}
write_unlock_irq(&rh->hash_lock);
read_lock(&rh->hash_lock);
+ if (reg->state == RH_CLEAN) {
+ spin_lock(&rh->region_lock);
+ if ( list_empty(®->list) )
+ list_add(®->list, &rh->clean_regions);
+ spin_unlock(&rh->region_lock);
+ }
return reg;
}
Sincerely,
Johnson <dujun@xxxxxxxxxxx>
AiM9 <zhaoqian@xxxxxxxxxxx>
