On Mon, Apr 27, 2015 at 08:24:53PM -0700, Davidlohr Bueso wrote: > +static inline void pipelined_send(struct wake_q_head *wake_q, > + struct mqueue_inode_info *info, > struct msg_msg *message, > struct ext_wait_queue *receiver) > { > receiver->msg = message; > list_del(&receiver->list); > + wake_q_add(wake_q, receiver->task); > + /* > + * Ensure that updating receiver->state is the last > + * write operation: As once set, the receiver can continue, > + * and if we don't have the reference count from the wake_q, > + * yet, at that point we can later have a use-after-free > + * condition and bogus wakeup. > + */ > + smp_wmb(); /* pairs with smp_rmb() in wq_sleep */
You have this barrier because we cannot rely on a failed cmpxchg() actually being a full barrier, right? > receiver->state = STATE_READY; > } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/