i40iw: Fix race condition in terminate timer's handler
authorShiraz Saleem <shiraz.saleem@intel.com>
Tue, 6 Dec 2016 21:49:33 +0000 (15:49 -0600)
committerDoug Ledford <dledford@redhat.com>
Mon, 12 Dec 2016 22:20:28 +0000 (17:20 -0500)
Add a QP reference when terminate timer is started to ensure
the destroy QP doesn't race ahead to free the QP while it is being
referenced in the terminate timer's handler.

Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/hw/i40iw/i40iw_cm.c
drivers/infiniband/hw/i40iw/i40iw_utils.c
drivers/infiniband/hw/i40iw/i40iw_verbs.c

index ff95feaee105f6bb914c1982e11d723c7e620fd1..a217d2f349143cd751d976ae70a9db563096dfd4 100644 (file)
@@ -3471,7 +3471,7 @@ static void i40iw_cm_disconn_true(struct i40iw_qp *iwqp)
                 *terminate-handler to issue cm_disconn which can re-free
                 *a QP even after its refcnt=0.
                 */
-               del_timer(&iwqp->terminate_timer);
+               i40iw_terminate_del_timer(qp);
                if (!iwqp->flush_issued) {
                        iwqp->flush_issued = 1;
                        issue_flush = 1;
index 4a08ffb75d2e8e66377206768d586202c561bd08..7d4af77599703f825e832592b9779a9e00634594 100644 (file)
@@ -823,6 +823,7 @@ static void i40iw_terminate_timeout(unsigned long context)
        struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)&iwqp->sc_qp;
 
        i40iw_terminate_done(qp, 1);
+       i40iw_rem_ref(&iwqp->ibqp);
 }
 
 /**
@@ -834,6 +835,7 @@ void i40iw_terminate_start_timer(struct i40iw_sc_qp *qp)
        struct i40iw_qp *iwqp;
 
        iwqp = (struct i40iw_qp *)qp->back_qp;
+       i40iw_add_ref(&iwqp->ibqp);
        init_timer(&iwqp->terminate_timer);
        iwqp->terminate_timer.function = i40iw_terminate_timeout;
        iwqp->terminate_timer.expires = jiffies + HZ;
@@ -850,7 +852,8 @@ void i40iw_terminate_del_timer(struct i40iw_sc_qp *qp)
        struct i40iw_qp *iwqp;
 
        iwqp = (struct i40iw_qp *)qp->back_qp;
-       del_timer(&iwqp->terminate_timer);
+       if (del_timer(&iwqp->terminate_timer))
+               i40iw_rem_ref(&iwqp->ibqp);
 }
 
 /**
index 206d72b8a8bdf4a319c67761925e0cf61be8a8dc..18526e6f9d8584f96e02524853e5e465e730e4fc 100644 (file)
@@ -959,7 +959,7 @@ int i40iw_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
                                goto exit;
                        }
                        if (iwqp->sc_qp.term_flags)
-                               del_timer(&iwqp->terminate_timer);
+                               i40iw_terminate_del_timer(&iwqp->sc_qp);
                        info.next_iwarp_state = I40IW_QP_STATE_ERROR;
                        if ((iwqp->hw_tcp_state > I40IW_TCP_STATE_CLOSED) &&
                            iwdev->iw_status &&