From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jeff Garzik <jeff@garzik.org>
Subject: Re: [tabled patch] abstract out TCP-write code
Date: Thu, 23 Sep 2010 00:32:09 -0400
Message-ID: <4C9AD849.8030404@garzik.org>
References: <20100923000908.GA15908@havoc.gtf.org> <20100922182836.566df309@lembas.zaitcev.lan> <4C9AACB5.40403@garzik.org> <20100922203741.48a2b8e6@lembas.zaitcev.lan>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <hail-devel-owner@vger.kernel.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:sender:message-id:date:from
         :user-agent:mime-version:to:cc:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=KvQTFUOiqGZGwIoz+rKtG8hzanokHkOFtGKMiENJcZg=;
        b=fWXVsNeQNsbxkP8YKW+RMyyB5/9LnrziIiFmDiVm5iPdYHF/pQrwYlcBIbJsiE1yLs
         0GOzzyuGSTIIFGhW3twqi9pbGUgIH0WhBpZukP4gZH3UyopFPQwFF2IW3Y3Ou/aZfo8n
         Ei2pYWjSloBtPdcX1Gqoaci+SKu3PBVv/Apvg=
In-Reply-To: <20100922203741.48a2b8e6@lembas.zaitcev.lan>
Sender: hail-devel-owner@vger.kernel.org
List-ID: <hail-devel.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: Pete Zaitcev <zaitcev@redhat.com>
Cc: hail-devel@vger.kernel.org

On 09/22/2010 10:37 PM, Pete Zaitcev wrote:
> On Wed, 22 Sep 2010 21:26:13 -0400
> Jeff Garzik<jeff@garzik.org>  wrote:
>
>>>       So, we go a longer route and re-hook the list of completions
>>>       to a per-server global instead of a client. The patch is straight-
>>>       forward. The only thing we need to be careful is to make sure
>>>       that no outstanding completions are left in the queue before
>>>       freeing a client struct. This is ensured by force-running completions.
>
>> Looking at this change again, I don't see how this avoids
>> use-after-free.  If completions exist after state change function leads
>> one to cli_evt_dispose() ->  cli_free(), then cli_write_run_compl() still
>> calls cli_write_free() with the stale 'cli' pointer.
>
> We run completions before freeing in all cases. My patch was correct.

Logically, if completions are run before freeing in all cases, there is 
no need to make write_compl_q global.  That was a red herring, which by 
side effect avoided the bug with the stale 'cli' pointer.

	Jeff