On Wed, Feb 23, 2011 at 8:11 AM, Hefty, Sean <sean.he...@intel.com> wrote: > --- a/drivers/infiniband/core/cma.c > +++ b/drivers/infiniband/core/cma.c > @@ -1210,6 +1210,11 @@ static int cma_req_handler(struct ib_cm_id *cm_id, > struct ib_cm_event *ib_event) > cm_id->context = conn_id; > cm_id->cm_handler = cma_ib_handler; > > + /* > + * Protect against the user destroying conn_id from another thread > + * until we're done accessing it. > + */ > + atomic_inc(&conn_id->refcount);
This is a good catch, but I'm not sure I see why this is the right fix. What prevents the destroy from happening right before the atomic_inc here? Does this just make the race window much smaller? > mutex_unlock(&conn_id->handler_mutex); > + cma_deref_id(conn_id); > rdma_destroy_id(&conn_id->id); likewise this seems to drop the additional reference, and then use the conn_id. Why can't it be destroyed right after the cma_deref_id leading to use-after-free? - R. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
