[ofa-general] Re: [PATCH 2/2] IB/ipath - fix QP use after free bug
Ralph Campbell
ralph.campbell at qlogic.com
Wed Jan 16 14:26:51 PST 2008
On Tue, 2008-01-15 at 19:54 -0800, Roland Dreier wrote:
> Am I missing something, or is this still racy, just with a smaller
> window? Couldn't the following still happen?
>
> CPU #1 CPU #2
>
> static inline void ipath_schedule_send(struct ipath_qp *qp)
> {
> if (!test_bit(IPATH_S_DESTROYING, &qp->s_busy))
> // bit not set yet, continue into if statement...
>
> // in ipath_destroy_qp() on other CPU:
>
> set_bit(IPATH_S_DESTROYING, &qp->s_busy);
>
> /* Stop the sending tasklet. */
> tasklet_kill(&qp->s_task);
> // tasklet_kill does nothing,
> // not scheduled yet...
>
> tasklet_hi_schedule(&qp->s_task);
> // uh-oh...
I think you are right. I will have to think about this some more.
> In fact testing qp->s_busy is potentially just as much use-after-free
> as scheduling the tasklet itself...
This should be safe in the receive interrupt handling since it keeps a
reference to the QP but there might be some other races possible
with posting sends and timeouts. I will think some more...
More information about the general
mailing list