On 2/12/18 8:25 AM, Thomas Gleixner wrote:
On Tue, 6 Feb 2018, Yang Shi wrote:+ /* + * Reuse objs from the global free list, they will be reinitialized + * when allocating + */ + while (obj_nr_tofree > 0 && (obj_pool_free < obj_pool_min_free)) { + raw_spin_lock_irqsave(&pool_lock, flags); + obj = hlist_entry(obj_to_free.first, typeof(*obj), node);This is racy vs. the worker thread. Assume obj_nr_tofree = 1: CPU0 CPU1 worker lock(&pool_lock); while (obj_nr_tofree > 0 && ...) { obj = hlist_entry(obj_to_free); lock(&pool_lock); hlist_del(obj); obj_nr_tofree--; ... unlock(&pool_lock); obj = hlist_entry(obj_to_free); hlist_del(obj); <------- NULL pointer dereference Not what you want, right? The counter or the list head need to be rechecked after the lock is acquired.
Yes, you are right. Will fix the race in newer version. Regards, Yang
+ hlist_del(&obj->node); + obj_nr_tofree--; + hlist_add_head(&obj->node, &obj_pool); + obj_pool_free++; + raw_spin_unlock_irqrestore(&pool_lock, flags); + }Thanks, tglx
