[dm-devel] [patch] dm-raid1.c fix a race bug in __rh_alloc()

Fri Jun 17 02:21:30 UTC 2005

after write_unlock_irq and just before read_lock, there's a small window which enables a race causing deletion of the region struct in function rh_update_states(). then in rh_dec(), the __rh_lookup() will return null, causing kernel panic. 


[root at darkstar md]# diff -u dm-raid1.orig.c dm-raid1.c

--- dm-raid1.orig.c     2005-06-16 14:17:04.000000000 +0800
+++ dm-raid1.c  2005-06-17 10:02:04.000000000 +0800
@@ -252,15 +252,16 @@
 
        else {
                __rh_insert(rh, nreg);
-               if (nreg->state == RH_CLEAN) {
-                       spin_lock(&rh->region_lock);
-                       list_add(&nreg->list, &rh->clean_regions);
-                       spin_unlock(&rh->region_lock);
-               }
                reg = nreg;
        }
        write_unlock_irq(&rh->hash_lock);
        read_lock(&rh->hash_lock);
+       if (reg->state == RH_CLEAN) {
+               spin_lock(&rh->region_lock);
+               if ( list_empty(&reg->list) )
+                       list_add(&reg->list, &rh->clean_regions);
+               spin_unlock(&rh->region_lock);
+       }
 
        return reg;
 }

Sincerely,
    Johnson <dujun at aaastor.com>
    AiM9 <zhaoqian at aaastor.com>


