Re: [PATCH V5 3/4] blk-mq: clear stale request in tags->rq[] before freeing one request pool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/5/21 7:58 AM, Ming Lei wrote:

diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index 4a40d409f5dd..8b239dcce85f 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -203,9 +203,14 @@ static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags,
  		unsigned int bitnr)
  {
  	struct request *rq = tags->rqs[bitnr];
+	unsigned long flags;
- if (!rq || !refcount_inc_not_zero(&rq->ref)) 
+	spin_lock_irqsave(&tags->lock, flags);
+	if (!rq || !refcount_inc_not_zero(&rq->ref)) {
+		spin_unlock_irqrestore(&tags->lock, flags);
  		return NULL;
+	}
+	spin_unlock_irqrestore(&tags->lock, flags);
  	return rq;
  }
Shouldn't the 'rq = tags->rqs[bitnr]' assignment be protected by tags->lock too? Otherwise a request pointer could be read before the request pointer clearing happens and the refcount_inc_not_zero() call could happen after the request clearing. 

Thanks,

Bart.
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux