LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Mingming Cao <cmm@us.ibm.com>
To: Andrew Morton <akpm@osdl.org>
Cc: Andreas Gruenbacher <agruen@suse.de>,
"Paul E. McKenney" <paulmck@us.ibm.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: [PATCH]Add memory barrier before clear bit in unlock_buffer()
Date: Mon, 05 Feb 2007 10:37:46 -0800 [thread overview]
Message-ID: <1170700667.3815.14.camel@dyn9047017103.beaverton.ibm.com> (raw)
In-Reply-To: <200702050032.06905.agruen@suse.de>
We are runnin SDET benchmark and saw double free issue for ext3 extended
attributes block, which complains the same xattr block already being
freed (in ext3_xattr_release_block()). The problem could also been
triggered by multiple threads loop untar/rm a kernel tree.
The race is caused by missing a memory barrier at unlock_buffer() before
the lock bit being cleared, resulting in possible concurrent
h_refcounter update. That causes a reference counter leak, then later
leads to the double free that we have seen.
Inside unlock_buffer(), there is a memory barrier is placed *after* the
lock bit is being cleared, however, there is no memory barrier *before*
the bit is cleared. On some arch the h_refcount update instruction and
the clear bit instruction could be reordered, thus leave the critical
section re-entered.
The race is like this: For example, if the h_refcount is initialized as
1,
cpu 0: cpu1
-------------------------------------- -----------------------------------
lock_buffer() /* test_and_set_bit */
clear_buffer_locked(bh);
lock_buffer() /* test_and_set_bit */
h_refcount = h_refcount+1; /* = 2*/ h_refcount = h_refcount + 1; /*= 2 */
clear_buffer_locked(bh);
.... ......
We lost a h_refcount here. We need a memory barrier before the buffer head lock
bit being cleared to force the order of the two writes. Please apply.
Signed-Off-By: Mingming Cao <cmm@us.ibm.com>
--- linux/fs/buffer.c.orig 2007-02-04 11:37:50.000000000 -0600
+++ linux/fs/buffer.c 2007-02-04 11:38:14.000000000 -0600
@@ -77,6 +77,7 @@
void fastcall unlock_buffer(struct buffer_head *bh)
{
+ smp_mb__before_clear_bit();
clear_buffer_locked(bh);
smp_mb__after_clear_bit();
wake_up_bit(&bh->b_state, BH_Lock);
next prev parent reply other threads:[~2007-02-05 18:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-03 3:23 [PATCH] Fix d_path for lazy unmounts Andreas Gruenbacher
2007-02-05 0:15 ` Neil Brown
2007-02-15 2:43 ` Andreas Gruenbacher
2007-02-05 8:32 ` Andreas Gruenbacher
2007-02-05 18:37 ` Mingming Cao [this message]
2007-02-14 8:19 ` Andreas Gruenbacher
2007-02-14 8:29 ` Olaf Hering
2007-02-14 8:42 ` Andreas Gruenbacher
2007-02-14 15:37 ` Linus Torvalds
2007-02-14 19:39 ` Andreas Gruenbacher
2007-02-14 22:57 ` Andreas Gruenbacher
2007-02-15 3:13 ` Andreas Gruenbacher
2007-02-17 13:30 ` Andreas Gruenbacher
2007-02-15 12:53 ` Jan Engelhardt
2007-02-15 13:19 ` Andreas Gruenbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1170700667.3815.14.camel@dyn9047017103.beaverton.ibm.com \
--to=cmm@us.ibm.com \
--cc=agruen@suse.de \
--cc=akpm@osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@us.ibm.com \
--subject='Re: [PATCH]Add memory barrier before clear bit in unlock_buffer()' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).