Re: cn_queue.c

From: Evgeniy Polyakov
Date: Fri Apr 01 2005 - 04:30:28 EST


On Fri, 2005-04-01 at 00:48 -0800, Andrew Morton wrote:
> Evgeniy Polyakov <johnpol@xxxxxxxxxxx> wrote:
> >
> > New object has 0 reference counter when created.
> > If some work is appointed to the object, then it's counter is atomically
> > incremented. It is decremented when the work is finished.
> > If object is supposed to be removed while some work
> > may be appointed to it, core ensures that no work _is_ appointed,
> > and atomically disallows[for example removing workqueue, removing
> > callback, all with appropriate locks being hold]
> > any other work appointment for the given object.
> > After it [when no work can be appointed to the object] if object
> > still has pending work [and thus has it's refcounter not zero],
> > removing path waits untill appropriate refcnt hits zero.
> > Since no _new_ work can be appointed at that level it is just
> > while (atomic_read(refcnt) != 0)
> > msleep();
>
> More like:
>
> while (atomic_read(&obj->refcnt))
> msleep();
> kfree(obj);

Yep :)

> which introduces the possibility of someone grabbing a new ref on the
> object just before the kfree(). If there is no means by which any other
> actor can acquire a ref to this object then OK, no race.

No, object is already removed from the pathes where someone may access
it.
It is only waiting until already assigned work is finished.

> But it's rather surprising that such a thing can be achieved without any
> locking. What happens if another CPU has just entered
> cn_queue_del_callback(), for example? It has a live cn_callback_entry in
> `cbq' which has a zero refcount - cn_queue_free_dev() can throw it away.

cn_queue_free_dev() will wait until dev->refcnt hits zero
before freeing any resources,
but it can happen only after cn_queue_del_callback() does
it's work on given callback device [actually when all callbacks
are removed].
When new callback is added into device, it's refcnt is incremented
[before adition btw, if addition fails in the middle, reference is
decremented], when callbak is removed, device's reference counter
is decremented aromically after all work is finished.

--
Evgeniy Polyakov

Crash is better than data corruption -- Arthur Grabowski

Attachment: signature.asc
Description: This is a digitally signed message part