From: Lukas Czerner Date: Fri, 11 Mar 2011 09:23:53 +0000 (+0100) Subject: block: fix mis-synchronisation in blkdev_issue_zeroout() X-Git-Tag: v2.6.37.5~71 X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e676247795f86efe5ca97c556f9c21415f815ee;p=pandora-kernel.git block: fix mis-synchronisation in blkdev_issue_zeroout() commit 0aeea18964173715a1037034ef6838198f319319 upstream. BZ29402 https://bugzilla.kernel.org/show_bug.cgi?id=29402 We can hit serious mis-synchronization in bio completion path of blkdev_issue_zeroout() leading to a panic. The problem is that when we are going to wait_for_completion() in blkdev_issue_zeroout() we check if the bb.done equals issued (number of submitted bios). If it does, we can skip the wait_for_completition() and just out of the function since there is nothing to wait for. However, there is a ordering problem because bio_batch_end_io() is calling atomic_inc(&bb->done) before complete(), hence it might seem to blkdev_issue_zeroout() that all bios has been completed and exit. At this point when bio_batch_end_io() is going to call complete(bb->wait), bb and wait does not longer exist since it was allocated on stack in blkdev_issue_zeroout() ==> panic! (thread 1) (thread 2) bio_batch_end_io() blkdev_issue_zeroout() if(bb) { ... if (bb->end_io) ... bb->end_io(bio, err); ... atomic_inc(&bb->done); ... ... while (issued != atomic_read(&bb.done)) ... (let issued == bb.done) ... (do the rest of the function) ... return ret; complete(bb->wait); ^^^^^^^^ panic We can fix this easily by simplifying bio_batch and completion counting. Also remove bio_end_io_t *end_io since it is not used. Signed-off-by: Lukas Czerner Reported-by: Eric Whitney Tested-by: Eric Whitney Reviewed-by: Jeff Moyer CC: Dmitry Monakhov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- Reading git-diff-tree failed