> Hello!
>
> > Methink I found the sucker - we have one place where the unix_socket
> > is freed without kernel_lock hold. It is in unix_destroy_timer().
>
> Stop, stop, stop! To the time, when socket is destroyed from timer,
> it is dead. It is detached from hash tables, its queues are already destroyed
> etc. It is hold only to tell peer, that endpoint is dead and to die in piece.
Sigh... AFAICS it's the only place where we have async *whatever* in
net/unix/*.c. Can anything remove skb from the queue without kernel_lock
held? Maybe I'm missing the path calling unix_gc() without kernel_lock,
but I've rechecked it and it seems to be OK.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/