From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jeff Garzik <jeff@garzik.org>
Subject: Re: [tabled patch 1/1] running completions over disposed cli
Date: Sat, 15 May 2010 16:43:44 -0400
Message-ID: <4BEF0780.10403@garzik.org>
References: <20100515131714.592c1b15@redhat.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <hail-devel-owner@vger.kernel.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:sender:message-id:date:from
         :user-agent:mime-version:to:cc:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=F3FdVOhJs0P0g2DBaA+0xaHUigbqRgjbvDdWuA+biZE=;
        b=RPFZ1izn52mcxYuXtPqIal1ph5742RMt3fjbEb2rsbnB/03EIDsIXsOK1PtUTD69Vq
         b3ZAadWOkdhnJgj/7e+khfd9uy3WqssxnfDZme8FG9zs/Yor+tOZh1Bfvv5v13+vjPXK
         t1oqa4NZLjPq53hGBNAStTfGxjjGw8cDpaSnE=
In-Reply-To: <20100515131714.592c1b15@redhat.com>
Sender: hail-devel-owner@vger.kernel.org
List-ID: <hail-devel.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: Pete Zaitcev <zaitcev@redhat.com>
Cc: Project Hail List <hail-devel@vger.kernel.org>

On 05/15/2010 03:17 PM, Pete Zaitcev wrote:
> Miracluously this never actually crashed on me, but I added unrelated
> debugging printout into the dispatch routine and it printed weird
> values. Then it dawned on me that a state change function may dispose
> of the struct cli, in which case cli_write_run_compl is use-after-free.
>
> It may seem that checking if the old state was evt_dispose before
> running cli_write_run_compl is an expedient fix, but that does not
> work, because we do not always dispose of the cli in such case.
> If the cli to be disposed still has anything in the queue, we
> need to continue to deliver events, and for that we have to
> run outstanding completions.
>
> So, we go a longer route and re-hook the list of completions
> to a per-server global instead of a client. The patch is straight-
> forward. The only thing we need to be careful is to make sure
> that no outstanding completions are left in the queue before
> freeing a client struct. This is ensured by force-running completions.
>
> One other necessary change was to add a back poiter from a completion
> to the current client. This is because one caller needed the client
> pointer (object_get_more).
>
> Signed-off-by: Pete Zaitcev<zaitcev@redhat.com>

applied