>static inline void cm_deref_id(struct cm_id_private *cm_id_priv)
>{
> if (atomic_dec_and_test(&cm_id_priv->refcount))
> wake_up(&cm_id_priv->wait);
>}
>
>A thread could test the refcount after atomic_dec_and_test but before
>wake_up(&cm_id_priv->wait), and remove cm_id_priv.
>This would result in use after free.
Yes, there is a small race window there. Hmm, I wonder what the right
way to fix that is. This construction is used a number of other
places (eg in mthca).
- R.
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
