On 1/23/16, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > We'll just decrement the refcount of bufmap, do nothing since it hasn't > reached zero, proceed to mark all ops as purged, wake each service_operation() > up and sod off. Now, the holders of those slots will call > orangefs_get_bufmap_init(), get 1 (since we hadn't dropped the last reference > yet - can it *ever* see 0 there, actually?) and return -EAGAIN. With > wait_for_direct_io() noticing that, freeing the slot and going into restart. > And if there was the only one, we are fine, but what if there were several? The answer here is yes. Otherwise a malicious client could not set up the bufmap then crash the kernel by attempting to use it. -- Martin -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
