Re: Bio & Biovec-1 increasing cache size, never freed during disk IO

[matteo brancaleoni]

Hi.

no, the CONFIG_DEBUG_SLAB was not set.

Thanks for the new patch, compiling now.
I'll let you know asap.

Thanks a lot for the help,

Matteo.

On 3/2/06, Neil Brown <neilb@xxxxxxx> wrote:
> On Wednesday March 1, mbrancaleoni@xxxxxxxxx wrote:
> > Hi Neil.
> >
> > unfortunately the patch does nothing, the problem persists.
> > Tested with 2.6.16-rc5.
> > (I've double checked if the patch was applied correctly)
> >
> > Can I do anything to be of some more help?
>
> Yes, try another patch. :-)  and tell me if you have CONFIG_DEBUG_SLAB
> set... there was another use-after-free bug which CONFIG_DEBUG_SLAB
> would have made worse.
>
> This patch should fix it all up.
>
> Thanks again,
> NeilBrown
>
>
> Signed-off-by: Neil Brown <neilb@xxxxxxx>
>
> ### Diffstat output
>  ./drivers/md/raid1.c |   13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff ./drivers/md/raid1.c~current~ ./drivers/md/raid1.c
> --- ./drivers/md/raid1.c~current~       2006-02-27 11:52:18.000000000 +1100
> +++ ./drivers/md/raid1.c        2006-03-01 10:44:49.000000000 +1100
> @@ -306,6 +306,7 @@ static int raid1_end_write_request(struc
>         r1bio_t * r1_bio = (r1bio_t *)(bio->bi_private);
>         int mirror, behind = test_bit(R1BIO_BehindIO, &r1_bio->state);
>         conf_t *conf = mddev_to_conf(r1_bio->mddev);
> +       struct bio *to_put = NULL;
>
>         if (bio->bi_size)
>                 return 1;
> @@ -323,6 +324,7 @@ static int raid1_end_write_request(struc
>                  * this branch is our 'one mirror IO has finished' event handler:
>                  */
>                 r1_bio->bios[mirror] = NULL;
> +               to_put = bio;
>                 if (!uptodate) {
>                         md_error(r1_bio->mddev, conf->mirrors[mirror].rdev);
>                         /* an I/O failed, we can't clear the bitmap */
> @@ -375,7 +377,7 @@ static int raid1_end_write_request(struc
>                         /* Don't dec_pending yet, we want to hold
>                          * the reference over the retry
>                          */
> -                       return 0;
> +                       goto out;
>                 }
>                 if (test_bit(R1BIO_BehindIO, &r1_bio->state)) {
>                         /* free extra copy of the data pages */
> @@ -392,10 +394,11 @@ static int raid1_end_write_request(struc
>                 raid_end_bio_io(r1_bio);
>         }
>
> -       if (r1_bio->bios[mirror]==NULL)
> -               bio_put(bio);
> -
>         rdev_dec_pending(conf->mirrors[mirror].rdev, conf->mddev);
> + out:
> +       if (to_put)
> +               bio_put(to_put);
> +
>         return 0;
>  }
>
> @@ -857,7 +860,7 @@ static int make_request(request_queue_t
>         atomic_set(&r1_bio->remaining, 0);
>         atomic_set(&r1_bio->behind_remaining, 0);
>
> -       do_barriers = bio->bi_rw & BIO_RW_BARRIER;
> +       do_barriers = bio_barrier(bio);
>         if (do_barriers)
>                 set_bit(R1BIO_Barrier, &r1_bio->state);
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/