Re: [dm-devel] [patch] dm-raid1.c fix a race bug in __rh_alloc()

Jonathan E Brassow <jbrassow@xxxxxxxxxx> · Fri, 24 Jun 2005 10:33:25 -0500

I believe this also fixes Jun'ichi's issue ([dm-devel] [PATCH] 2.6.12-rc6: fix __rh_alloc()/rh_update_states() race in dm-raid1.c)



brassow



On Jun 16, 2005, at 9:21 PM, Zhao Qian wrote:



after write_unlock_irq and just before read_lock, there's a small window which enables a race causing deletion of the region struct in function rh_update_states(). then in rh_dec(), the __rh_lookup() will return null, causing kernel panic. 





[root@darkstar md]# diff -u dm-raid1.orig.c dm-raid1.c

--- dm-raid1.orig.c     2005-06-16 14:17:04.000000000 +0800

+++ dm-raid1.c  2005-06-17 10:02:04.000000000 +0800

@@ -252,15 +252,16 @@



else {

__rh_insert(rh, nreg);

-               if (nreg->state == RH_CLEAN) {

-                       spin_lock(&rh->region_lock);

-                       list_add(&nreg->list, &rh->clean_regions);

-                       spin_unlock(&rh->region_lock);

-               }

reg = nreg;

}

write_unlock_irq(&rh->hash_lock);

read_lock(&rh->hash_lock);

+       if (reg->state == RH_CLEAN) {

+               spin_lock(&rh->region_lock);

+               if ( list_empty(&reg->list) )

+                       list_add(&reg->list, &rh->clean_regions);

+               spin_unlock(&rh->region_lock);

+       }



return reg;

}



Sincerely,

Johnson <dujun@xxxxxxxxxxx>

AiM9 <zhaoqian@xxxxxxxxxxx>



--



dm-devel@xxxxxxxxxx

https://www.redhat.com/mailman/listinfo/dm-devel







