From: Arthur Kepner <[EMAIL PROTECTED]>
Date: Tue, 14 Feb 2006 13:55:58 -0800 (PST)
>
> There's a race in pktgen which can lead to a double
> free of a pktgen_dev's skb. If a worker thread is in
> the midst of doing fill_packet(), and the controlling
> thread gets a "stop" message, the already freed skb
> can be freed once again in pktgen_stop_device().
>
> This patch removes the race by setting the pktgen_dev's
> skb to NULL before freeing it.
>
> Signed-off-by: Arthur Kepner <[EMAIL PROTECTED]>
I don't see how this fixes the race, now we have:
CPU 0 CPU 1
stop worker thread
old_skb = pkt_dev->skb;
old_skb = pkt_dev->skb;
pkt_dev->skb = NULL;
...
kfree_skb(old_skb);
pkt_dev->skb = NULL;
kfree_skb(old_skb);
It's the same race we started with. :-)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
