| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTi=ma7WDo9=kKwZGwuhi=qUEB8EW5g@mail.gmail.com>
Date: Mon, 11 Apr 2011 09:54:11 +0800
From: Shaohua Li <shli@...nel.org>
To: Paul Bolle <pebolle@...cali.nl>
Cc: Jens Axboe <axboe@...nel.dk>, linux-kernel@...r.kernel.org
Subject: Re: block: ioc->refcount accessed twice in put_io_context()?
2011/4/10 Paul Bolle <pebolle@...cali.nl>:
> 0) Looking for clues to solve a problem I ran into, I noticed something
> odd in block/blk-ioc.c:put_io_context(). It seems it accesses the atomic
> variable ioc->refcount twice in a way which suggests things might race.
>
> 1) Code is more exact than words, so this (entirely untested) patch to
> solve this possible race might describe better what this is all about:
>
> @@ -33,12 +33,16 @@ static void cfq_dtor(struct io_context *ioc)
> */
> int put_io_context(struct io_context *ioc)
> {
> + int new;
> +
> if (ioc == NULL)
> return 1;
>
> - BUG_ON(atomic_long_read(&ioc->refcount) == 0);
> + new = atomic_long_dec_return(&ioc->refcount);
> +
> + BUG_ON(new < 0);
>
> - if (atomic_long_dec_and_test(&ioc->refcount)) {
> + if (new == 0) {
> rcu_read_lock();
> cfq_dtor(ioc);
> rcu_read_unlock();
>
so you hit this line?
BUG_ON(atomic_long_read(&ioc->refcount) == 0);
this suggests something else is already wrong, you should fix that.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists