[openib-general] Re: cm crash
Roland Dreier
rdreier at cisco.com
Mon May 8 08:50:04 PDT 2006
>static inline void cm_deref_id(struct cm_id_private *cm_id_priv)
>{
> if (atomic_dec_and_test(&cm_id_priv->refcount))
> wake_up(&cm_id_priv->wait);
>}
>
>A thread could test the refcount after atomic_dec_and_test but before
>wake_up(&cm_id_priv->wait), and remove cm_id_priv.
>This would result in use after free.
Yes, there is a small race window there. Hmm, I wonder what the right
way to fix that is. This construction is used a number of other
places (eg in mthca).
- R.
More information about the general
mailing list