[openib-general] RE: cm crash
Sean Hefty
sean.hefty at intel.com
Sun May 7 20:14:32 PDT 2006
>Another possible issue:
>
>static inline void cm_deref_id(struct cm_id_private *cm_id_priv)
>{
> if (atomic_dec_and_test(&cm_id_priv->refcount))
> wake_up(&cm_id_priv->wait);
>}
>
>A thread could test the refcount after atomic_dec_and_test but before
>wake_up(&cm_id_priv->wait), and remove cm_id_priv.
>This would result in use after free.
I believe that this same code structure is in other places in the IB code.
Maybe we're using wait_event() incorrectly to make destruction synchronous? Is
there some other wait call that can work here, or an atomic dec_and_test_wake_up
that can protect against this?
- Sean
More information about the general
mailing list