diff options
author | Coly Li <colyli@suse.de> | 2017-09-26 17:54:12 +0800 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2017-09-27 14:54:49 -0600 |
commit | a5f3d8a5eaaf917878f07998e6f1ea46024e6bab (patch) | |
tree | 793bcac5f4cc4fb3fbe6b00228b69a745cad0a37 /drivers/block/nbd.c | |
parent | dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (diff) |
bcache: use llist_for_each_entry_safe() in __closure_wake_up()
Commit 09b3efec ("bcache: Don't reinvent the wheel but use existing llist
API") replaces the following while loop by llist_for_each_entry(),
-
- while (reverse) {
- cl = container_of(reverse, struct closure, list);
- reverse = llist_next(reverse);
-
+ llist_for_each_entry(cl, reverse, list) {
closure_set_waiting(cl, 0);
closure_sub(cl, CLOSURE_WAITING + 1);
}
This modification introduces a potential race by iterating a corrupted
list. Here is how it happens.
In the above modification, closure_sub() may wake up a process which is
waiting on reverse list. If this process decides to wait again by calling
closure_wait(), its cl->list will be added to another wait list. Then
when llist_for_each_entry() continues to iterate next node, it will travel
on another new wait list which is added in closure_wait(), not the
original reverse list in __closure_wake_up(). It is more probably to
happen on UP machine because the waked up process may preempt the process
which wakes up it.
Use llist_for_each_entry_safe() will fix the issue, the safe version fetch
next node before waking up a process. Then the copy of next node will make
sure list iteration stays on original reverse list.
Fixes: 09b3efec81de ("bcache: Don't reinvent the wheel but use existing llist API")
Signed-off-by: Coly Li <colyli@suse.de>
Reported-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Byungchul Park <byungchul.park@lge.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'drivers/block/nbd.c')
0 files changed, 0 insertions, 0 deletions