6e35aabee1
The race is as follows: A process : cma_process_remove() calls cma_remove_id_dev(), which sets id state to CMA_DEVICE_REMOVAL and calls wait_event(dev_remove). B process : cma_req_handler() had incremented dev_remove, and calls cma_acquire_ib_dev() and on failure calls cma_release_remove(), which does a wake_up of cma_process_remove(). Then cma_req_handler() calls rdma_destroy_id(); A Process : cma_remove_id_dev() gets woken and checks the state of id, and since it is still (wrongly) CMA_DEVICE_REMOVAL, it calls notify_user(id) and if that fails, the caller - cma_process_remove() calls rdma_destroy_id(id). Two processes can call rdma_destroy_id(), resulting in one de-referencing kfreed id_priv. Fix is for process B to set CMA_DESTROYING in cma_req_handler() so that process A will return instead of doing a rdma_destroy_id(). Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com> Signed-off-by: Sean Hefty <sean.hefty@intel.com> Signed-off-by: Roland Dreier <rolandd@cisco.com> |
||
|---|---|---|
| .. | ||
| addr.c | ||
| agent.c | ||
| agent.h | ||
| cache.c | ||
| cm_msgs.h | ||
| cm.c | ||
| cma.c | ||
| core_priv.h | ||
| device.c | ||
| fmr_pool.c | ||
| iwcm.c | ||
| iwcm.h | ||
| mad_priv.h | ||
| mad_rmpp.c | ||
| mad_rmpp.h | ||
| mad.c | ||
| Makefile | ||
| packer.c | ||
| sa_query.c | ||
| smi.c | ||
| smi.h | ||
| sysfs.c | ||
| ucm.c | ||
| ud_header.c | ||
| user_mad.c | ||
| uverbs_cmd.c | ||
| uverbs_main.c | ||
| uverbs_marshall.c | ||
| uverbs_mem.c | ||
| uverbs.h | ||
| verbs.c | ||