On 09/22/2010 10:37 PM, Pete Zaitcev wrote:
On Wed, 22 Sep 2010 21:26:13 -0400
Jeff Garzik<jeff@xxxxxxxxxx> wrote:
So, we go a longer route and re-hook the list of completions
to a per-server global instead of a client. The patch is straight-
forward. The only thing we need to be careful is to make sure
that no outstanding completions are left in the queue before
freeing a client struct. This is ensured by force-running completions.
Looking at this change again, I don't see how this avoids
use-after-free. If completions exist after state change function leads
one to cli_evt_dispose() -> cli_free(), then cli_write_run_compl() still
calls cli_write_free() with the stale 'cli' pointer.
We run completions before freeing in all cases. My patch was correct.
Logically, if completions are run before freeing in all cases, there is
no need to make write_compl_q global. That was a red herring, which by
side effect avoided the bug with the stale 'cli' pointer.
Jeff
--
To unsubscribe from this list: send the line "unsubscribe hail-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
