xen-blkfront: drop the use of llist_for_each_entry_safe

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Replace llist_for_each_entry_safe with a while loop.

llist_for_each_entry_safe can trigger a bug in GCC 4.1, so it's best
to remove it and use a while loop and do the deletion manually.

Specifically this bug can be triggered by hot-unplugging a disk, either
by doing xm block-detach or by save/restore cycle.

BUG: unable to handle kernel paging request at fffffffffffffff0
IP: [<ffffffffa0047223>] blkif_free+0x63/0x130 [xen_blkfront]
The crash call trace is:
...
bad_area_nosemaphore+0x13/0x20
do_page_fault+0x25e/0x4b0
page_fault+0x25/0x30
? blkif_free+0x63/0x130 [xen_blkfront]
blkfront_resume+0x46/0xa0 [xen_blkfront]
xenbus_dev_resume+0x6c/0x140
pm_op+0x192/0x1b0
device_resume+0x82/0x1e0
dpm_resume+0xc9/0x1a0
dpm_resume_end+0x15/0x30
do_suspend+0x117/0x1e0

When drilling down to the assembler code, on newer GCC it does
.L29:
cmpq $-16, %r12 #, persistent_gnt check
je .L30 #, out of the loop
.L25:
... code in the loop
testq %r13, %r13 # n
je .L29 #, back to the top of the loop
cmpq $-16, %r12 #, persistent_gnt check
movq 16(%r12), %r13 # <variable>.node.next, n
jne .L25 #, back to the top of the loop
.L30:

While on GCC 4.1, it is:
L78:
... code in the loop
testq %r13, %r13 # n
je .L78 #, back to the top of the loop
movq 16(%rbx), %r13 # <variable>.node.next, n
jmp .L78 #, back to the top of the loop

Which basically means that the exit loop condition instead of
being:

&(pos)->member != NULL;

is:
;

which makes the loop unbound.

Since xen-blkfront is the only user of the llist_for_each_entry_safe
macro remove it from llist.h.

Orabug: 16263164
CC: stable@vger.kernel.org
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Konrad Rzeszutek Wilk 13 years ago f84adf49 01c681d4

+10 -28

2 changed files

expand all

drivers

block

xen-blkfront.c

include

linux

llist.h

+10 -3

drivers/block/xen-blkfront.c

··· 791 791 static void blkif_free(struct blkfront_info *info, int suspend) 792 792 { 793 793 struct llist_node *all_gnts; 794 - struct grant *persistent_gnt; 794 + struct grant *persistent_gnt, *tmp; 795 795 struct llist_node *n; 796 796 797 797 /* Prevent new requests being issued until we fix things up. */ ··· 805 805 /* Remove all persistent grants */ 806 806 if (info->persistent_gnts_c) { 807 807 all_gnts = llist_del_all(&info->persistent_gnts); 808 - llist_for_each_entry_safe(persistent_gnt, n, all_gnts, node) { 808 + persistent_gnt = llist_entry(all_gnts, typeof(*(persistent_gnt)), node); 809 + while (persistent_gnt) { 809 810 gnttab_end_foreign_access(persistent_gnt->gref, 0, 0UL); 810 811 __free_page(pfn_to_page(persistent_gnt->pfn)); 811 - kfree(persistent_gnt); 812 + tmp = persistent_gnt; 813 + n = persistent_gnt->node.next; 814 + if (n) 815 + persistent_gnt = llist_entry(n, typeof(*(persistent_gnt)), node); 816 + else 817 + persistent_gnt = NULL; 818 + kfree(tmp); 812 819 } 813 820 info->persistent_gnts_c = 0; 814 821 }

-25

include/linux/llist.h

··· 125 125 (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member)) 126 126 127 127 /** 128 - * llist_for_each_entry_safe - iterate safely against remove over some entries 129 - * of lock-less list of given type. 130 - * @pos: the type * to use as a loop cursor. 131 - * @n: another type * to use as a temporary storage. 132 - * @node: the fist entry of deleted list entries. 133 - * @member: the name of the llist_node with the struct. 134 - * 135 - * In general, some entries of the lock-less list can be traversed 136 - * safely only after being removed from list, so start with an entry 137 - * instead of list head. This variant allows removal of entries 138 - * as we iterate. 139 - * 140 - * If being used on entries deleted from lock-less list directly, the 141 - * traverse order is from the newest to the oldest added entry. If 142 - * you want to traverse from the oldest to the newest, you must 143 - * reverse the order by yourself before traversing. 144 - */ 145 - #define llist_for_each_entry_safe(pos, n, node, member) \ 146 - for ((pos) = llist_entry((node), typeof(*(pos)), member), \ 147 - (n) = (pos)->member.next; \ 148 - &(pos)->member != NULL; \ 149 - (pos) = llist_entry(n, typeof(*(pos)), member), \ 150 - (n) = (&(pos)->member != NULL) ? (pos)->member.next : NULL) 151 - 152 - /** 153 128 * llist_empty - tests whether a lock-less list is empty 154 129 * @head: the list to test 155 130 *