drivers/block · a28c69448154a0901e8815922030c5dcd2f8e388 · matisse / android_kernel_samsung_matisse

Herbert Xu authored 19 years ago

Janos Haar of First NetCenter Bt.  reported numerous crashes involving the
NBD driver.  With his help, this was tracked down to bogus bio vectors
which in turn was the result of a race condition between the
receive/transmit routines in the NBD driver.

The bug manifests itself like this:

CPU0				CPU1
do_nbd_request
	add req to queuelist
	nbd_send_request
		send req head
		for each bio
			kmap
			send
				nbd_read_stat
					nbd_find_request
					nbd_end_request
			kunmap

When CPU1 finishes nbd_end_request, the request and all its associated
bio's are freed.  So when CPU0 calls kunmap whose argument is derived from
the last bio, it may crash.

Under normal circumstances, the race occurs only on the last bio.  However,
if an error is encountered on the remote NBD server (such as an incorrect
magic number in the request), or if there were a bug in the server, it is
possible for the nbd_end_request to occur any time after the request's
addition to the queuelist.

The fol...

4b2f0260

Name	Last commit	Last update
..
aoe
paride
DAC960.c
DAC960.h
Kconfig
Makefile
acsi.c
acsi_slm.c
amiflop.c
ataflop.c
cciss.c
cciss.h
cciss_cmd.h
cciss_scsi.c
cciss_scsi.h
cpqarray.c
cpqarray.h
cryptoloop.c
floppy.c
ida_cmd.h
ida_ioctl.h
loop.c
nbd.c
pktcdvd.c
ps2esdi.c
rd.c
smart1,2.h
swim3.c
swim_iop.c
sx8.c
ub.c
umem.c
viodasd.c
xd.c
xd.h
z2ram.c

Download source code

Download this directory