On Tue, Nov 26, 2013 at 5:24 PM, Rafael J. Wysocki <r...@rjwysocki.net> wrote:
>
> So assume pci_destroy_dev() is called twice in parallel for the same dev
> by two different threads. Thread 1 does the atomic_inc_and_test() and
> finds that it is OK to do the device_del() and put_device() which causes
> the device object to be freed. Then thread 2 does the atomic_inc_and_test()
> on the already freed device object and crashes the kernel.
>
thread2 should still hold one extra reference.
that is in
device_schedule_callback
==> sysfs_schedule_callback
==> kobject_get(kobj)
pci_destroy_dev for thread2 is called at this point.
and that reference will be released from
sysfs_schedule_callback
==> kobject_put()...
Thanks
Yinghai
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
