[openib-general] [PATCH] sdp_conn_put/sdp_conn_hold race

Libor Michalek libor at topspin.com
Tue Jul 19 16:19:15 PDT 2005


On Wed, Jul 06, 2005 at 08:59:49PM +0300, Michael S. Tsirkin wrote:
> The current sdp_conn_put/sdp_conn_hold implementation
> seems to be subject to the following race condition:
> 
> - thread A calls sdp_conn_put, atomic dec and test returns 0
> - thread B looks up the connection and calls sdp_conn_get,
>   incrementing the reference count back to 1
> - thread A now goes on to call sdp_conn_destroy, which will
>   destroy the connection
> - thread B is left with an invalid connection pointer 

  Thanks for bringing this up, I had noticed it, but never got back
around to actually fixing it. The solution description

> As a solution
> - sdp_conn_put is moved out of line. checking connection
>   reference count is done under the connection table spinlock
>   atomically, removing the connection from lookup table
>   if the reference drops to 0.
> 
> - a new call sdp_conn_put_light is provided for when we
>   know this isn't the last reference to the connection.
>   This is useful not only for performance reasons, but 
>   also for documentation/code clarity purposes: when
>   sdp_conn_put_light is used, this isn't the last reference,
>   when sdp_conn_put is used, this may be the last reference.

  Yes, this would be the right fix for the problem, I'll take a look
at the patch, but I only saw part 2/2 and not 1/2 on the list, can
you resend it? 

-Libor




More information about the general mailing list