On Wed, Dec 26, 2018 at 02:55:00PM +0100, Pablo Neira Ayuso wrote: > On Wed, Dec 26, 2018 at 02:41:59PM +0100, Pablo Neira Ayuso wrote: > > Instead of removing a empty list node that might be reintroduced soon > > thereafter, tentatively place the empty list node in the garbage > > collector, then re-check if the list is empty again before deleting it. > > > > This patch is aiming to simplify the garbage collection interaction > > between the packet path and the workqueue to delete empty lists. > > Hm, still not good enough. > > Workqueue and packet path may race to place the same node in the > gc_nodes[] array, leading to possible use-after-free. Hey Pablo, I assume you realize this, but the race can happen with or without your patch. I think you could fix the race by expanding the spinlock in tree_gc_worker() to cover the walking of the tree instead of doing it as a RCU reader. Anyway, are you still working on an alternative solution to my patches? My patch #2 was broken, but I can resend a fixed version if there is interest in going that way. Thanks, Shawn
