cfq-iosched: fix RCU race in the cfq io_context destructor handling put_io_context() drops the RCU read lock before calling into cfq_dtor(), however we need to hold off freeing there before grabbing and dereferencing the first object on the list. So extend the rcu_read_lock() scope to cover the calling of cfq_dtor(), and optimize cfq_free_io_context() to use a new variant for call_for_each_cic() that assumes the RCU read lock is already held. Hit in the wild by Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

commit: 07416d29bcf608257f1e5280642dcbe0021518a3 [log] [tgz]
author: Jens Axboe <jens.axboe@oracle.com> Wed May 07 09:17:12 2008 +0200
committer: Jens Axboe <jens.axboe@oracle.com> Wed May 07 09:28:57 2008 +0200
tree: 6b88b2b043cac10b34234320c68e06848c00127c
parent: aa94b5371f6f898558d9fa5690cc6e4bf917a572 [diff] [blame]
diff --git a/block/blk-ioc.c b/block/blk-ioc.c
index e34df7c..012f065 100644
--- a/block/blk-ioc.c
+++ b/block/blk-ioc.c

@@ -41,8 +41,8 @@
 		rcu_read_lock();
 		if (ioc->aic && ioc->aic->dtor)
 			ioc->aic->dtor(ioc->aic);
-		rcu_read_unlock();
 		cfq_dtor(ioc);
+		rcu_read_unlock();
 
 		kmem_cache_free(iocontext_cachep, ioc);
 		return 1;
commit	07416d29bcf608257f1e5280642dcbe0021518a3	[log] [tgz]
author	Jens Axboe <jens.axboe@oracle.com>	Wed May 07 09:17:12 2008 +0200
committer	Jens Axboe <jens.axboe@oracle.com>	Wed May 07 09:28:57 2008 +0200
tree	6b88b2b043cac10b34234320c68e06848c00127c
parent	aa94b5371f6f898558d9fa5690cc6e4bf917a572 [diff] [blame]