[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] Unmatched decrementing of net device reference count

On Wed, Dec 20, 2006 at 11:21:51AM -0200, Glauber de Oliveira Costa wrote:
> unregister_netdev() works as a barrier in this case. The call to
> netif_disconnect_backend() introduces a new carrier watch, which hold()s a
> reference to be put()'d in a future time. If we call free right after that, 
> it might be the case that put() is called after free. Nothing in this
> case prevents this memory region to have been allocated again to another
> device. 

Thanks for the explanation.  I understand the problem now.  However,
I think your patch isn't adequate because the closing of the backend
no longer shuts down the transmitter in the frontend.

Looking at this again it comes down to an asymmetry in the setup
and tear-down processes.  On startup, we have two stages:

1) netfront_probe => create_netdev
                  => open_netdev => register_netdev;
2) network_connect => sets up IRQ/ring buffer/etc.

On tear-down, things occur in the wrong order:

1) netfront_closing => close_netdev => unregister_netdev;
2) netfront_remove => kills IRQ/ring buffer and free_netdev.

The tear-down order should be the opposite of the setup, i.e.,

1) netfront_closing => kills IRQ/ring buffer;
2) netfront_remove => close_netdev => unregister_netdev
                   => free_netdev.

So I suggest we move the netif_disconnct_backend call to
netfront_closing and close_netdev to netfront_remove.

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.