[PATCH] IB: Fix race in sa_query
authorRoland Dreier <rolandd@cisco.com>
Mon, 27 Jun 2005 21:36:46 +0000 (14:36 -0700)
committerLinus Torvalds <torvalds@ppc970.osdl.org>
Mon, 27 Jun 2005 22:11:47 +0000 (15:11 -0700)
Use a copy of the id we'll return to the consumer so that we don't
dereference query->sa_query after calling send_mad().  A completion may
occur very quickly and end up freeing the query before we get to do
anything after send_mad().

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/infiniband/core/sa_query.c

index 276e1a53010ddc19a312b067caccf89c3c6b6c00..5a08e81fa82704e7496ecf2705e0325933f1d2eb 100644 (file)
@@ -507,7 +507,13 @@ retry:
                spin_unlock_irqrestore(&idr_lock, flags);
        }
 
-       return ret;
+       /*
+        * It's not safe to dereference query any more, because the
+        * send may already have completed and freed the query in
+        * another context.  So use wr.wr_id, which has a copy of the
+        * query's id.
+        */
+       return ret ? ret : wr.wr_id;
 }
 
 static void ib_sa_path_rec_callback(struct ib_sa_query *sa_query,
@@ -598,14 +604,15 @@ int ib_sa_path_rec_get(struct ib_device *device, u8 port_num,
                rec, query->sa_query.mad->data);
 
        *sa_query = &query->sa_query;
+
        ret = send_mad(&query->sa_query, timeout_ms);
-       if (ret) {
+       if (ret < 0) {
                *sa_query = NULL;
                kfree(query->sa_query.mad);
                kfree(query);
        }
 
-       return ret ? ret : query->sa_query.id;
+       return ret;
 }
 EXPORT_SYMBOL(ib_sa_path_rec_get);
 
@@ -674,14 +681,15 @@ int ib_sa_mcmember_rec_query(struct ib_device *device, u8 port_num,
                rec, query->sa_query.mad->data);
 
        *sa_query = &query->sa_query;
+
        ret = send_mad(&query->sa_query, timeout_ms);
-       if (ret) {
+       if (ret < 0) {
                *sa_query = NULL;
                kfree(query->sa_query.mad);
                kfree(query);
        }
 
-       return ret ? ret : query->sa_query.id;
+       return ret;
 }
 EXPORT_SYMBOL(ib_sa_mcmember_rec_query);