Quoting r. Krishna Kumar <[EMAIL PROTECTED]>: > Subject: [PATCH] Fix freed mem deref race in > cma_process_remove/cma_req_handler > > The race is as follows : > > A process : cma_process_remove() calls cma_remove_id_dev(), > which sets id state to CMA_DEVICE_REMOVAL and > calls wait_event(dev_remove). > > B process : cma_req_handler() had incremented dev_remove, > and calls cma_acquire_ib_dev() and on failure > calls cma_release_remove(), which does a > wake_up of cma_process_remove(). Then > cma_req_handler() calls rdma_destroy_id(); > > A Process : cma_remove_id_dev() gets woken and checks the > state of id, and since it is still (wrongly) > CMA_DEVICE_REMOVAL, it calls notify_user(id) > and if that fails, the caller - cma_process_remove() > calls rdma_destroy_id(id). Two processes can > call rdma_destroy_id(), resulting in one > de-referencing kfreed id_priv. > > Fix is for process B to set CMA_DESTROYING in cma_req_handler() > so that process A will return instead of doing a rdma_destroy_id(). > > Signed-off-by: Krishna Kumar <[EMAIL PROTECTED]>
Did you actually see these crashes? If yes, this looks serious enough even for 2.6.18. Sean? -- MST _______________________________________________ openib-general mailing list [email protected] http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
