path: root/block/noop-iosched.c
diff options
authorJianpeng Ma <>2013-07-03 13:25:24 +0200
committerJens Axboe <>2013-07-03 13:25:24 +0200
commitd50235b7bc3ee0a0427984d763ea7534149531b4 (patch)
treeacf1916e7926c1a0dddbe08db11ca2426a3816cc /block/noop-iosched.c
parenta6b3f7614ca690e49e934c291f707b0c19312194 (diff)
elevator: Fix a race in elevator switching
There's a race between elevator switching and normal io operation. Because the allocation of struct elevator_queue and struct elevator_data don't in a atomic operation.So there are have chance to use NULL ->elevator_data. For example: Thread A: Thread B blk_queu_bio elevator_switch spin_lock_irq(q->queue_block) elevator_alloc elv_merge elevator_init_fn Because call elevator_alloc, it can't hold queue_lock and the ->elevator_data is NULL.So at the same time, threadA call elv_merge and nedd some info of elevator_data.So the crash happened. Move the elevator_alloc into func elevator_init_fn, it make the operations in a atomic operation. Using the follow method can easy reproduce this bug 1:dd if=/dev/sdb of=/dev/null 2:while true;do echo noop > scheduler;echo deadline > scheduler;done The test method also use this method. Signed-off-by: Jianpeng Ma <> Signed-off-by: Jens Axboe <>
Diffstat (limited to 'block/noop-iosched.c')
1 files changed, 14 insertions, 3 deletions
diff --git a/block/noop-iosched.c b/block/noop-iosched.c
index 5d1bf70..3de89d4 100644
--- a/block/noop-iosched.c
+++ b/block/noop-iosched.c
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq)
return list_entry(rq->, struct request, queuelist);
-static int noop_init_queue(struct request_queue *q)
+static int noop_init_queue(struct request_queue *q, struct elevator_type *e)
struct noop_data *nd;
+ struct elevator_queue *eq;
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
- if (!nd)
+ if (!nd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = nd;
- q->elevator->elevator_data = nd;
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
return 0;