[PATCH] fix race in idr code
I ran into a bug where the kernel died in the idr code: cpu 0x1d: Vector: 300 (Data Access) at [c000000b7096f710] pc: c0000000001f8984: .idr_get_new_above_int+0x140/0x330 lr: c0000000001f89b4: .idr_get_new_above_int+0x170/0x330 sp: c000000b7096f990 msr: 800000000000b032 dar: 0 dsisr: 40010000 current = 0xc000000b70d43830 paca = 0xc000000000556900 pid = 2022, comm = hwup 1d:mon> t [c000000b7096f990] c0000000000d2ad8 .expand_files+0x2e8/0x364 (unreliable) [c000000b7096faa0] c0000000001f8bf8 .idr_get_new_above+0x18/0x68 [c000000b7096fb20] c00000000002a054 .init_new_context+0x5c/0xf0 [c000000b7096fbc0] c000000000049dc8 .copy_process+0x91c/0x1404 [c000000b7096fcd0] c00000000004a988 .do_fork+0xd8/0x224 [c000000b7096fdc0] c00000000000ebdc .sys_clone+0x5c/0x74 [c000000b7096fe30] c000000000008950 .ppc_clone+0x8/0xc
This commit is contained in:
parent
a45219483e
commit
1eec00565d
1 changed files with 12 additions and 4 deletions
16
lib/idr.c
16
lib/idr.c
|
@ -48,15 +48,21 @@ static struct idr_layer *alloc_layer(struct idr *idp)
|
||||||
return(p);
|
return(p);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* only called when idp->lock is held */
|
||||||
|
static void __free_layer(struct idr *idp, struct idr_layer *p)
|
||||||
|
{
|
||||||
|
p->ary[0] = idp->id_free;
|
||||||
|
idp->id_free = p;
|
||||||
|
idp->id_free_cnt++;
|
||||||
|
}
|
||||||
|
|
||||||
static void free_layer(struct idr *idp, struct idr_layer *p)
|
static void free_layer(struct idr *idp, struct idr_layer *p)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Depends on the return element being zeroed.
|
* Depends on the return element being zeroed.
|
||||||
*/
|
*/
|
||||||
spin_lock(&idp->lock);
|
spin_lock(&idp->lock);
|
||||||
p->ary[0] = idp->id_free;
|
__free_layer(idp, p);
|
||||||
idp->id_free = p;
|
|
||||||
idp->id_free_cnt++;
|
|
||||||
spin_unlock(&idp->lock);
|
spin_unlock(&idp->lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -184,12 +190,14 @@ static int idr_get_new_above_int(struct idr *idp, void *ptr, int starting_id)
|
||||||
* The allocation failed. If we built part of
|
* The allocation failed. If we built part of
|
||||||
* the structure tear it down.
|
* the structure tear it down.
|
||||||
*/
|
*/
|
||||||
|
spin_lock(&idp->lock);
|
||||||
for (new = p; p && p != idp->top; new = p) {
|
for (new = p; p && p != idp->top; new = p) {
|
||||||
p = p->ary[0];
|
p = p->ary[0];
|
||||||
new->ary[0] = NULL;
|
new->ary[0] = NULL;
|
||||||
new->bitmap = new->count = 0;
|
new->bitmap = new->count = 0;
|
||||||
free_layer(idp, new);
|
__free_layer(idp, new);
|
||||||
}
|
}
|
||||||
|
spin_unlock(&idp->lock);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
new->ary[0] = p;
|
new->ary[0] = p;
|
||||||
|
|
Loading…
Reference in a new issue