On 04/06/2014 03:01 AM, Oleg A. Arkhangelsky wrote: > > > 05.04.2014, 19:53, "Sasha Levin" <sasha.le...@oracle.com>: > >> My guess is that we're racing the synchronize_rcu() in del_chan() with >> the RCU protected read in lookup_chan_dst(): >> >> pptp_release() >> del_chan() lookup_chan_dst() >> enter synchronize_rcu() >> sock = >> rcu_dereference(...) >> exit synchronize_rcu() >> release_sock() >> sock_put() >> opt = >> &sock->proto.pptp; >> [ boom ] > > Hmm... > > IMHO, sock from callid_sock array must be NULL (not uninitialized) at > that point, because del_chan() do: > > RCU_INIT_POINTER(callid_sock[sock->proto.pptp.src_addr.call_id], NULL); > > before rcu_synchronize(). I think that prevents access to freeing item > in subsequent readers that go inside critical section when > rcu_synchronize() is active.
Right, make sense. I'm completely lost then. Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
