Matthias Urlichs wrote:
>
> if (files) {
> + task_lock(tsk);
> + tsk->files = NULL;
> + task_unlock(tsk);
> + put_files_struct(files);
> }
This one is easier to explain, it's always the same problem:
CPU1:
(1) task_lock(tsk);
(2) tsk->files = NULL;
(3) task_unlock(tsk);
(4) put_files_struct(files);
CPU2: (somewhere in fs/proc/*.c)
(5) task_lock(tsk);
(6)* files= tsk->files;
(7)* if(files)
(8)* atomic_inc(files->count);
(9) task_unlock(tsk);
...
(10) put_files_struct(tsk);
The 3 instructions that I marked with * must be atomic, otherwise the
cpu1 could call put_files_struct(files) before cpu2 had a chance to
increase the reference count. A simple memory barrier won't help, e.g
an interrupt arrives between instruction (6) and (8).
->tty has a similar problem: cpu1 could kfree the tty structure, and
cpu2 could still access it.
-- Manfred- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:18 EST