The current sdp_conn_put/sdp_conn_hold implementation seems to be subject to the following race condition:
- thread A calls sdp_conn_put, atomic dec and test returns 0 - thread B looks up the connection and calls sdp_conn_get, incrementing the reference count back to 1 - thread A now goes on to call sdp_conn_destroy, which will destroy the connection - thread B is left with an invalid connection pointer As a solution - sdp_conn_put is moved out of line. checking connection reference count is done under the connection table spinlock atomically, removing the connection from lookup table if the reference drops to 0. - a new call sdp_conn_put_light is provided for when we know this isn't the last reference to the connection. This is useful not only for performance reasons, but also for documentation/code clarity purposes: when sdp_conn_put_light is used, this isn't the last reference, when sdp_conn_put is used, this may be the last reference. Patches follow. Please comment. -- MST _______________________________________________ openib-general mailing list [email protected] http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
