android_kernel_xiaomi_sm8350/drivers/md
Mikulas Patocka 7c5f78b9d7 dm snapshot: fix primary_pe race
Fix a race condition with primary_pe ref_count handling.

put_pending_exception runs under dm_snapshot->lock, it does atomic_dec_and_test
on primary_pe->ref_count, and later does atomic_read primary_pe->ref_count.

__origin_write does atomic_dec_and_test on primary_pe->ref_count without holding
dm_snapshot->lock.

This opens the following race condition:
Assume two CPUs, CPU1 is executing put_pending_exception (and holding
dm_snapshot->lock). CPU2 is executing __origin_write in parallel.
primary_pe->ref_count == 2.

CPU1:
if (primary_pe && atomic_dec_and_test(&primary_pe->ref_count))
	origin_bios = bio_list_get(&primary_pe->origin_bios);
... decrements primary_pe->ref_count to 1. Doesn't load origin_bios

CPU2:
if (first && atomic_dec_and_test(&primary_pe->ref_count)) {
	flush_bios(bio_list_get(&primary_pe->origin_bios));
	free_pending_exception(primary_pe);
	/* If we got here, pe_queue is necessarily empty. */
	return r;
}
... decrements primary_pe->ref_count to 0, submits pending bios, frees
primary_pe.

CPU1:
if (!primary_pe || primary_pe != pe)
	free_pending_exception(pe);
... this has no effect.
if (primary_pe && !atomic_read(&primary_pe->ref_count))
	free_pending_exception(primary_pe);
... sees ref_count == 0 (written by CPU 2), does double free !!

This bug can happen only if someone is simultaneously writing to both the
origin and the snapshot.

If someone is writing only to the origin, __origin_write will submit kcopyd
request after it decrements primary_pe->ref_count (so it can't happen that the
finished copy races with primary_pe->ref_count decrementation).

If someone is writing only to the snapshot, __origin_write isn't invoked at all
and the race can't happen.

The race happens when someone writes to the snapshot --- this creates
pending_exception with primary_pe == NULL and starts copying. Then, someone
writes to the same chunk in the snapshot, and __origin_write races with
termination of already submitted request in pending_complete (that calls
put_pending_exception).

This race may be reason for bugs:
  http://bugzilla.kernel.org/show_bug.cgi?id=11636
  https://bugzilla.redhat.com/show_bug.cgi?id=465825

The patch fixes the code to make sure that:
1. If atomic_dec_and_test(&primary_pe->ref_count) returns false, the process
must no longer dereference primary_pe (because someone else may free it under
us).
2. If atomic_dec_and_test(&primary_pe->ref_count) returns true, the process
is responsible for freeing primary_pe.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Cc: stable@kernel.org
2008-10-21 17:44:51 +01:00
..
raid6test
.gitignore
bitmap.c Fix problem with waiting while holding rcu read lock in md/bitmap.c 2008-09-01 12:48:13 +10:00
dm-bio-list.h
dm-bio-record.h
dm-crypt.c dm crypt: avoid unnecessary wait when splitting bio 2008-10-10 13:37:08 +01:00
dm-delay.c
dm-exception-store.c dm exception store: use chunk_t for_areas 2008-10-10 13:37:01 +01:00
dm-io.c dm: unplug queues in threads 2008-04-25 13:26:57 +01:00
dm-ioctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm 2008-10-10 11:11:47 -07:00
dm-kcopyd.c dm kcopyd: avoid queue shuffle 2008-10-21 17:44:50 +01:00
dm-linear.c dm: linear add merge 2008-07-21 12:00:38 +01:00
dm-log.c dm log: make dm_dirty_log init and exit static 2008-07-21 12:00:27 +01:00
dm-mpath.c [SCSI] block: separate failfast into multiple bits. 2008-10-13 09:28:52 -04:00
dm-mpath.h dm mpath: remove is_active from struct dm_path 2008-10-10 13:36:58 +01:00
dm-path-selector.c
dm-path-selector.h
dm-raid1.c dm raid1: kcopyd should stop on error if errors handled 2008-10-10 13:36:59 +01:00
dm-round-robin.c
dm-snap.c dm snapshot: fix primary_pe race 2008-10-21 17:44:51 +01:00
dm-snap.h dm snapshot: use per device mempools 2008-07-21 12:00:35 +01:00
dm-stripe.c block: don't depend on consecutive minor space 2008-10-09 08:56:05 +02:00
dm-table.c dm: detect lost queue 2008-10-10 13:37:13 +01:00
dm-target.c
dm-uevent.c md: replace remaining __FUNCTION__ occurrences 2008-04-28 08:58:42 -07:00
dm-uevent.h
dm-zero.c
dm.c block: move stats from disk to part0 2008-10-09 08:56:08 +02:00
dm.h dm: publish dm_vcalloc 2008-10-10 13:37:12 +01:00
faulty.c md: check for memory allocation failure in faulty personality 2008-10-16 14:16:53 +11:00
Kconfig raid, fastboot: hide RAID autodetect option if MD is compiled as a module 2008-10-12 08:25:14 -07:00
linear.c md: Remove unnecessary #includes, #defines, and function declarations. 2008-10-13 11:55:12 +11:00
Makefile [SCSI] scsi_dh: Remove hardware handler infrastructure from dm 2008-06-05 09:23:42 -05:00
md.c md: fix input truncation in safe_delay_store() 2008-10-16 17:03:08 +11:00
mktables.c
multipath.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2008-10-17 09:00:23 -07:00
raid0.c md: Remove unnecessary #includes, #defines, and function declarations. 2008-10-13 11:55:12 +11:00
raid1.c md: build failure due to missing delay.h 2008-10-15 21:57:05 +11:00
raid5.c md: Relax minimum size restrictions on chunk_size. 2008-10-13 11:55:12 +11:00
raid6.h md: Remove unnecessary #includes, #defines, and function declarations. 2008-10-13 11:55:12 +11:00
raid6algos.c drivers/md: use time_before, time_before_eq, etc 2008-04-28 08:58:42 -07:00
raid6altivec.uc
raid6int.uc
raid6mmx.c
raid6recov.c
raid6sse1.c
raid6sse2.c
raid6x86.h
raid10.c md: build failure due to missing delay.h 2008-10-15 21:57:05 +11:00
unroll.pl