[openib-general] [PATCH] sdp_conn_put/sdp_conn_hold race
Libor Michalek
libor at topspin.com
Tue Jul 19 16:19:15 PDT 2005
On Wed, Jul 06, 2005 at 08:59:49PM +0300, Michael S. Tsirkin wrote:
> The current sdp_conn_put/sdp_conn_hold implementation
> seems to be subject to the following race condition:
>
> - thread A calls sdp_conn_put, atomic dec and test returns 0
> - thread B looks up the connection and calls sdp_conn_get,
> incrementing the reference count back to 1
> - thread A now goes on to call sdp_conn_destroy, which will
> destroy the connection
> - thread B is left with an invalid connection pointer
Thanks for bringing this up, I had noticed it, but never got back
around to actually fixing it. The solution description
> As a solution
> - sdp_conn_put is moved out of line. checking connection
> reference count is done under the connection table spinlock
> atomically, removing the connection from lookup table
> if the reference drops to 0.
>
> - a new call sdp_conn_put_light is provided for when we
> know this isn't the last reference to the connection.
> This is useful not only for performance reasons, but
> also for documentation/code clarity purposes: when
> sdp_conn_put_light is used, this isn't the last reference,
> when sdp_conn_put is used, this may be the last reference.
Yes, this would be the right fix for the problem, I'll take a look
at the patch, but I only saw part 2/2 and not 1/2 on the list, can
you resend it?
-Libor
More information about the general
mailing list