On 07/13/2012 11:37 AM, Alan Cox wrote:
>> Is that clear? Is there something I'm still missing?
>
> Basically if they are not invariant I don't see why it can't go around
> the loop, allocate the buffer, free it and then the next time find there
> is nothing there and thus double free.
>
> Either way if its patched the problem goes away so it's mostly for my own
> understanding.
The key is that xattrs is a local variable I think.
1) enter the "if" block
2) spin_unlock()
3) xattrs = kcalloc()...
4) spin_lock()
5) version changes, so:
6) kfree everything (now xattrs is invalid)
7) goto start
Then either:
8a) re-enter the "if" block
9a) spin_unlock()
10a) xattrs = kcalloc()... <- now xattrs is valid again
. . .
Or:
8b) do not enter the "if" block
9b) return err... <- xattrs is not referenced again
-Alex
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
