2009-12-07 07:45:11

by Nikita V. Youshchenko

[permalink] [raw]
Subject: When it is save to kfree() hrtimer object?

Hi

I'm writing a device driver that processes it's requests.

Each request is described by a request structure. There may be arbitary
number of requests pending, so I have a kmem_cache for those objects.

Request processing may include "retry after N usecs" on some conditions, so
I have a struct htrimer embedded into my request structure, and use it to
implement the delay.

When request processing is complete, I deallocate request structure with
kmem_cache_free().

I faced an issue when request processing is complete when running inside
hrtimer callback. I have nothing in my request processing that can't be
done in atomic context - just several device register accesses and
wake_up_interruptible() call. So I thought that I may do everything inside
hrtimer callback. Including kmem_cache_free() the request structure.

But looks like I can't. Hrtimer code does access hrtimer object after
return from callback, even if HRTIMER_NORESTART is returned. So if request
object (that is container of hrtimer object in my case) is deallocated,
slab corruption happens.

Looks like I will have to implement some ugly workaround for that ... like
a "garbage-collector" thread that will do nothing but deallocate requests
from some sort of free list.

I'd like to ask several questions.

- Isn't it a bug that timer object is accessed after it's callback was
called and returned HRTIMER_NORESTART?

- If that is not a bug, then when it is "officially safe" to deallocate
struct hrtimer object?

- Are there any recommendations on how to implement "single-shot" timers
like in my case?

Nikita


2009-12-07 10:35:48

by Thomas Gleixner

[permalink] [raw]
Subject: Re: When it is save to kfree() hrtimer object?

On Mon, 7 Dec 2009, Nikita V. Youshchenko wrote:
> - Isn't it a bug that timer object is accessed after it's callback was
> called and returned HRTIMER_NORESTART?

No, it's not. It's deliberately implemented that way.

> - If that is not a bug, then when it is "officially safe" to deallocate
> struct hrtimer object?

When it's neither enqueued nor running the callback. See the other use
sites.

> - Are there any recommendations on how to implement "single-shot" timers
> like in my case?

Well, you wake up something which waits on completion of that request,
right ? Probably the caller which issued the request. Why don't you
free the request in the waiter context after it got woken up ?

Thanks,

tglx