block: fix mis-synchronisation in blkdev_issue_zeroout()
BZ29402 https://bugzilla.kernel.org/show_bug.cgi?id=29402 We can hit serious mis-synchronization in bio completion path of blkdev_issue_zeroout() leading to a panic. The problem is that when we are going to wait_for_completion() in blkdev_issue_zeroout() we check if the bb.done equals issued (number of submitted bios). If it does, we can skip the wait_for_completition() and just out of the function since there is nothing to wait for. However, there is a ordering problem because bio_batch_end_io() is calling atomic_inc(&bb->done) before complete(), hence it might seem to blkdev_issue_zeroout() that all bios has been completed and exit. At this point when bio_batch_end_io() is going to call complete(bb->wait), bb and wait does not longer exist since it was allocated on stack in blkdev_issue_zeroout() ==> panic! (thread 1) (thread 2) bio_batch_end_io() blkdev_issue_zeroout() if(bb) { ... if (bb->end_io) ... bb->end_io(bio, err); ... atomic_inc(&bb->done); ... ... while (issued != atomic_read(&bb.done)) ... (let issued == bb.done) ... (do the rest of the function) ... return ret; complete(bb->wait); ^^^^^^^^ panic We can fix this easily by simplifying bio_batch and completion counting. Also remove bio_end_io_t *end_io since it is not used. Signed-off-by: Lukas Czerner <lczerner@redhat.com> Reported-by: Eric Whitney <eric.whitney@hp.com> Tested-by: Eric Whitney <eric.whitney@hp.com> Reviewed-by: Jeff Moyer <jmoyer@redhat.com> CC: Dmitry Monakhov <dmonakhov@openvz.org> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
This commit is contained in:
Lukas Czerner
committed by
Jens Axboe
Jens Axboe
parent
9179746652
commit
0aeea18964
@@ -109,7 +109,6 @@ struct bio_batch
|
|||||||
atomic_t done;
|
atomic_t done;
|
||||||
unsigned long flags;
|
unsigned long flags;
|
||||||
struct completion *wait;
|
struct completion *wait;
|
||||||
bio_end_io_t *end_io;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static void bio_batch_end_io(struct bio *bio, int err)
|
static void bio_batch_end_io(struct bio *bio, int err)
|
||||||
@@ -122,12 +121,9 @@ static void bio_batch_end_io(struct bio *bio, int err)
|
|||||||
else
|
else
|
||||||
clear_bit(BIO_UPTODATE, &bb->flags);
|
clear_bit(BIO_UPTODATE, &bb->flags);
|
||||||
}
|
}
|
||||||
if (bb) {
|
if (bb)
|
||||||
if (bb->end_io)
|
if (atomic_dec_and_test(&bb->done))
|
||||||
bb->end_io(bio, err);
|
complete(bb->wait);
|
||||||
atomic_inc(&bb->done);
|
|
||||||
complete(bb->wait);
|
|
||||||
}
|
|
||||||
bio_put(bio);
|
bio_put(bio);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -150,13 +146,12 @@ int blkdev_issue_zeroout(struct block_device *bdev, sector_t sector,
|
|||||||
int ret;
|
int ret;
|
||||||
struct bio *bio;
|
struct bio *bio;
|
||||||
struct bio_batch bb;
|
struct bio_batch bb;
|
||||||
unsigned int sz, issued = 0;
|
unsigned int sz;
|
||||||
DECLARE_COMPLETION_ONSTACK(wait);
|
DECLARE_COMPLETION_ONSTACK(wait);
|
||||||
|
|
||||||
atomic_set(&bb.done, 0);
|
atomic_set(&bb.done, 1);
|
||||||
bb.flags = 1 << BIO_UPTODATE;
|
bb.flags = 1 << BIO_UPTODATE;
|
||||||
bb.wait = &wait;
|
bb.wait = &wait;
|
||||||
bb.end_io = NULL;
|
|
||||||
|
|
||||||
submit:
|
submit:
|
||||||
ret = 0;
|
ret = 0;
|
||||||
@@ -185,12 +180,12 @@ submit:
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ret = 0;
|
ret = 0;
|
||||||
issued++;
|
atomic_inc(&bb.done);
|
||||||
submit_bio(WRITE, bio);
|
submit_bio(WRITE, bio);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Wait for bios in-flight */
|
/* Wait for bios in-flight */
|
||||||
while (issued != atomic_read(&bb.done))
|
if (!atomic_dec_and_test(&bb.done))
|
||||||
wait_for_completion(&wait);
|
wait_for_completion(&wait);
|
||||||
|
|
||||||
if (!test_bit(BIO_UPTODATE, &bb.flags))
|
if (!test_bit(BIO_UPTODATE, &bb.flags))
|
||||||
|
|||||||
Reference in New Issue
Block a user