[ofa-general] [RFC] ipoib: avoid using stale ipoib_neigh* in ipoib_neigh_cleanup()
Roland Dreier
rdreier at cisco.com
Wed May 20 10:28:38 PDT 2009
> We've seen a few instances of a crash in ipoib_neigh_cleanup() due to
> the use of a stale pointer:
>
>
> 848 neigh = *to_ipoib_neigh(n); <- read neigh (no locking)
> .....
> 858 spin_lock_irqsave(&priv->lock, flags);
> 859
> 860 if (neigh->ah) <--- at this point neigh may be stale
> 861 ah = neigh->ah;
> 862 list_del(&neigh->list);
> 863 ipoib_neigh_free(n->dev, neigh);
> 864
> 865 spin_unlock_irqrestore(&priv->lock, flags);
I'd like to understand the bug first -- how is the neighbour being
destroyed out from under us in ipoib_neigh_cleanup()? I would have
thought the cleanup function would run when no references to the struct
remain but before it's freed.
- R.
More information about the general
mailing list