linux/drivers/md/bcache
Coly Li a5f3d8a5ea bcache: use llist_for_each_entry_safe() in __closure_wake_up()
Commit 09b3efec ("bcache: Don't reinvent the wheel but use existing llist
API") replaces the following while loop by llist_for_each_entry(),

-
-	while (reverse) {
-		cl = container_of(reverse, struct closure, list);
-		reverse = llist_next(reverse);
-
+	llist_for_each_entry(cl, reverse, list) {
 		closure_set_waiting(cl, 0);
 		closure_sub(cl, CLOSURE_WAITING + 1);
 	}

This modification introduces a potential race by iterating a corrupted
list. Here is how it happens.

In the above modification, closure_sub() may wake up a process which is
waiting on reverse list. If this process decides to wait again by calling
closure_wait(), its cl->list will be added to another wait list. Then
when llist_for_each_entry() continues to iterate next node, it will travel
on another new wait list which is added in closure_wait(), not the
original reverse list in __closure_wake_up(). It is more probably to
happen on UP machine because the waked up process may preempt the process
which wakes up it.

Use llist_for_each_entry_safe() will fix the issue, the safe version fetch
next node before waking up a process. Then the copy of next node will make
sure list iteration stays on original reverse list.

Fixes: 09b3efec81 ("bcache: Don't reinvent the wheel but use existing llist API")
Signed-off-by: Coly Li <colyli@suse.de>
Reported-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Byungchul Park <byungchul.park@lge.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-09-27 14:54:49 -06:00
..
alloc.c bcache: increase the number of open buckets 2017-09-06 08:17:33 -06:00
bcache.h bcache: fix for gc and write-back race 2017-09-06 08:17:33 -06:00
bset.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/clock.h> 2017-03-02 08:42:27 +01:00
bset.h bcache: fix typo in bch_bkey_equal_header 2014-08-04 15:23:03 -07:00
btree.c block: switch bios to blk_status_t 2017-06-09 09:27:32 -06:00
btree.h sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
closure.c bcache: use llist_for_each_entry_safe() in __closure_wake_up() 2017-09-27 14:54:49 -06:00
closure.h bcache: Update continue_at() documentation 2017-09-06 08:17:33 -06:00
debug.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
debug.h
extents.c bcache: Fix a journal replay bug 2014-08-04 15:23:02 -07:00
extents.h bcache: Fix a journal replay bug 2014-08-04 15:23:02 -07:00
io.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
journal.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
journal.h
Kconfig bcache: Kill dead cgroup code 2014-03-18 12:22:35 -07:00
Makefile
movinggc.c block: switch bios to blk_status_t 2017-06-09 09:27:32 -06:00
request.c bcache: do not subtract sectors_to_gc for bypassed IO 2017-09-06 08:17:33 -06:00
request.h block: switch bios to blk_status_t 2017-06-09 09:27:32 -06:00
stats.c bcache: Kill dead cgroup code 2014-03-18 12:22:35 -07:00
stats.h
super.c bcache: initialize dirty stripes in flash_dev_run() 2017-09-07 13:32:29 -06:00
sysfs.c bcache: Correct return value for sysfs attach errors 2017-09-06 08:17:33 -06:00
sysfs.h
trace.c bcache: Better alloc tracepoints 2014-03-18 12:22:35 -07:00
util.c bcache: fix bch_hprint crash and improve output 2017-09-06 08:17:33 -06:00
util.h treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
writeback.c bcache: initialize dirty stripes in flash_dev_run() 2017-09-07 13:32:29 -06:00
writeback.h bcache: initialize dirty stripes in flash_dev_run() 2017-09-07 13:32:29 -06:00