On 4/26/05, Evgeniy Polyakov <[email protected]> wrote:
> On Tue, 26 Apr 2005 13:20:08 -0500
> Dmitry Torokhov <[email protected]> wrote:
>
> > On 4/26/05, Evgeniy Polyakov <[email protected]> wrote:
> > > Yes, I found it too.
> > > Following patch should be the solution:
> > >
> > > --- orig/drivers/connector/connector.c
> > > +++ mod/drivers/connector/connector.c
> > > @@ -146,13 +146,16 @@
> > > spin_lock_bh(&dev->cbdev->queue_lock);
> > > list_for_each_entry(__cbq, &dev->cbdev->queue_list, callback_entry) {
> > > if (cn_cb_equal(&__cbq->cb->id, &msg->id)) {
> > > - __cbq->cb->priv = msg;
> > > +
> > > + if (!test_bit(0, &work->pending)) {
> > > + __cbq->cb->priv = msg;
> > >
> > > - __cbq->ddata = data;
> > > - __cbq->destruct_data = destruct_data;
> > > + __cbq->ddata = data;
> > > + __cbq->destruct_data = destruct_data;
> > >
> >
> > Still not good enough - work->pending bit gets cleared when work has
> > been scheduled, but before executing payload. You still have the race.
>
> Data pointer is copied before bit is set,
> but I forget that it is not data, but another pointer
> which may be overwritten.
>
> I think we may finish it by setting skb as data,
> and call kfree_skb() as destructor.
>
Yes, that woudl work, although I would urge you to implement a message
queue for callbacks (probably limit it to 1000 messages or so) to
allow bursting.
> Thank you for your analysis.
You are welcome.
--
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
