On Wed, Jul 06, 2005 at 08:59:49PM +0300, Michael S. Tsirkin wrote: > The current sdp_conn_put/sdp_conn_hold implementation > seems to be subject to the following race condition: > > - thread A calls sdp_conn_put, atomic dec and test returns 0 > - thread B looks up the connection and calls sdp_conn_get, > incrementing the reference count back to 1 > - thread A now goes on to call sdp_conn_destroy, which will > destroy the connection > - thread B is left with an invalid connection pointer
Thanks for bringing this up, I had noticed it, but never got back around to actually fixing it. The solution description > As a solution > - sdp_conn_put is moved out of line. checking connection > reference count is done under the connection table spinlock > atomically, removing the connection from lookup table > if the reference drops to 0. > > - a new call sdp_conn_put_light is provided for when we > know this isn't the last reference to the connection. > This is useful not only for performance reasons, but > also for documentation/code clarity purposes: when > sdp_conn_put_light is used, this isn't the last reference, > when sdp_conn_put is used, this may be the last reference. Yes, this would be the right fix for the problem, I'll take a look at the patch, but I only saw part 2/2 and not 1/2 on the list, can you resend it? -Libor _______________________________________________ openib-general mailing list [email protected] http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
