[ofa-general] Re: [PATCH 2/2] IB/ipath - fix QP use after free bug
Roland Dreier
rdreier at cisco.com
Tue Jan 15 19:54:35 PST 2008
Am I missing something, or is this still racy, just with a smaller
window? Couldn't the following still happen?
CPU #1 CPU #2
static inline void ipath_schedule_send(struct ipath_qp *qp)
{
if (!test_bit(IPATH_S_DESTROYING, &qp->s_busy))
// bit not set yet, continue into if statement...
// in ipath_destroy_qp() on other CPU:
set_bit(IPATH_S_DESTROYING, &qp->s_busy);
/* Stop the sending tasklet. */
tasklet_kill(&qp->s_task);
// tasklet_kill does nothing,
// not scheduled yet...
tasklet_hi_schedule(&qp->s_task);
// uh-oh...
In fact testing qp->s_busy is potentially just as much use-after-free
as scheduling the tasklet itself...
- R.
More information about the general
mailing list