Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[PATCH] IB: Fix race in sa_query
Use a copy of the id we'll return to the consumer so that we don't
dereference query->sa_query after calling send_mad(). A completion may
occur very quickly and end up freeing the query before we get to do
anything after send_mad().
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
authored by Roland Dreier and committed by Linus Torvalds dae4c1d2 cae54bdf
+13
-5
drivers/infiniband/core/sa_query.c
+13
-5
drivers/infiniband/core/sa_query.c
···
507
507
spin_unlock_irqrestore(&idr_lock, flags);
508
508
}
509
509
510
-
return ret;
510
+
/*
511
+
* It's not safe to dereference query any more, because the
512
+
* send may already have completed and freed the query in
513
+
* another context. So use wr.wr_id, which has a copy of the
514
+
* query's id.
515
+
*/
516
+
return ret ? ret : wr.wr_id;
511
517
}
512
518
513
519
static void ib_sa_path_rec_callback(struct ib_sa_query *sa_query,
···
604
598
rec, query->sa_query.mad->data);
605
599
606
600
*sa_query = &query->sa_query;
601
+
607
602
ret = send_mad(&query->sa_query, timeout_ms);
608
-
if (ret) {
603
+
if (ret < 0) {
609
604
*sa_query = NULL;
610
605
kfree(query->sa_query.mad);
611
606
kfree(query);
612
607
}
613
608
614
-
return ret ? ret : query->sa_query.id;
609
+
return ret;
615
610
}
616
611
EXPORT_SYMBOL(ib_sa_path_rec_get);
617
612
···
681
674
rec, query->sa_query.mad->data);
682
675
683
676
*sa_query = &query->sa_query;
677
+
684
678
ret = send_mad(&query->sa_query, timeout_ms);
685
-
if (ret) {
679
+
if (ret < 0) {
686
680
*sa_query = NULL;
687
681
kfree(query->sa_query.mad);
688
682
kfree(query);
689
683
}
690
684
691
-
return ret ? ret : query->sa_query.id;
685
+
return ret;
692
686
}
693
687
EXPORT_SYMBOL(ib_sa_mcmember_rec_query);
694
688