[openib-general] Re: cm crash
Michael S. Tsirkin
mst at mellanox.co.il
Sun May 7 22:42:01 PDT 2006
Quoting r. Sean Hefty <sean.hefty at intel.com>:
> Subject: RE: cm crash
>
> >Another possible issue:
> >
> >static inline void cm_deref_id(struct cm_id_private *cm_id_priv)
> >{
> > if (atomic_dec_and_test(&cm_id_priv->refcount))
> > wake_up(&cm_id_priv->wait);
> >}
> >
> >A thread could test the refcount after atomic_dec_and_test but before
> >wake_up(&cm_id_priv->wait), and remove cm_id_priv.
> >This would result in use after free.
>
> I believe that this same code structure is in other places in the IB code.
Where?
> Maybe we're using wait_event() incorrectly to make destruction synchronous? Is
> there some other wait call that can work here, or an atomic dec_and_test_wake_up
> that can protect against this?
>
> - Sean
>
--
MST
More information about the general
mailing list