On 07/13/2012 11:37 AM, Alan Cox wrote: >> Is that clear? Is there something I'm still missing? > > Basically if they are not invariant I don't see why it can't go around > the loop, allocate the buffer, free it and then the next time find there > is nothing there and thus double free. > > Either way if its patched the problem goes away so it's mostly for my own > understanding. The key is that xattrs is a local variable I think. 1) enter the "if" block 2) spin_unlock() 3) xattrs = kcalloc()... 4) spin_lock() 5) version changes, so: 6) kfree everything (now xattrs is invalid) 7) goto start Then either: 8a) re-enter the "if" block 9a) spin_unlock() 10a) xattrs = kcalloc()... <- now xattrs is valid again . . . Or: 8b) do not enter the "if" block 9b) return err... <- xattrs is not referenced again -Alex -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
