Re: [PATCH] dio: lock refcount operations

[Jeff Moyer]

==> Regarding [PATCH] dio: lock refcount operations; Zach Brown <zach.brown@xxxxxxxxxx> adds:

zach.brown> dio: lock refcount operations The wait_for_more_bios() function
zach.brown> name was poorly chosen.  While looking to clean it up it I
zach.brown> noticed that the dio struct refcounting between the bio
zach.brown> completion and dio submission paths was racey.

zach.brown> The bio submission path was simply freeing the dio struct if
zach.brown> atomic_dec_and_test() indicated that it dropped the final
zach.brown> reference.

zach.brown> The aio bio completion path was dereferencing its dio struct
zach.brown> pointer *after dropping its reference* based on the remaining
zach.brown> number of references.

zach.brown> These two paths could race and result in the aio bio completion
zach.brown> path dereferencing a freed dio, though this was not observed in
zach.brown> the wild.

I don't believe that this can happen.  dio_bio_end_aio will only reference
the dio if (remaining == 1 && waiter_holds_ref).  If the waiter is holding
the reference, then the bio submission path would not have dropped its
reference yet!

-Jeff
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/