[PATCH] IB: Fix race in sa_query

Use a copy of the id we'll return to the consumer so that we don't dereference query->sa_query after calling send_mad(). A completion may occur very quickly and end up freeing the query before we get to do anything after send_mad(). Signed-off-by: N Roland Dreier <rolandd@cisco.com> Signed-off-by: N Andrew Morton <akpm@osdl.org> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>

[PATCH] IB: Fix race in sa_query
Use a copy of the id we'll return to the consumer so that we don't dereference query->sa_query after calling send_mad(). A completion may occur very quickly and end up freeing the query before we get to do anything after send_mad(). Signed-off-by: N Roland Dreier <rolandd@cisco.com> Signed-off-by: N Andrew Morton <akpm@osdl.org> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>
dae4c1d2 · Roland Dreier · Linus Torvalds · cae54bdf · dae4c1d2
隐藏空白更改
内联并排

Showing with 13 addition and 5 deletion

drivers/infiniband/core/sa_query.c drivers/infiniband/core/sa_query.c +13 -5

未找到文件。
--- a/drivers/infiniband/core/sa_query.c
+++ b/drivers/infiniband/core/sa_query.c
@@ -507,7 +507,13 @@ static int send_mad(struct ib_sa_query *query, int timeout_ms)
 		spin_unlock_irqrestore(&idr_lock, flags);
 	}

-	return ret;
+	/*
+	 * It's not safe to dereference query any more, because the
+	 * send may already have completed and freed the query in
+	 * another context.  So use wr.wr_id, which has a copy of the
+	 * query's id.
+	 */
+	return ret ? ret : wr.wr_id;
 }

 static void ib_sa_path_rec_callback(struct ib_sa_query *sa_query,
@@ -598,14 +604,15 @@ int ib_sa_path_rec_get(struct ib_device *device, u8 port_num,
 		rec, query->sa_query.mad->data);

 	*sa_query = &query->sa_query;
+
 	ret = send_mad(&query->sa_query, timeout_ms);
-	if (ret) {
+	if (ret < 0) {
 		*sa_query = NULL;
 		kfree(query->sa_query.mad);
 		kfree(query);
 	}

-	return ret ? ret : query->sa_query.id;
+	return ret;
 }
 EXPORT_SYMBOL(ib_sa_path_rec_get);

@@ -674,14 +681,15 @@ int ib_sa_mcmember_rec_query(struct ib_device *device, u8 port_num,
 		rec, query->sa_query.mad->data);

 	*sa_query = &query->sa_query;
+
 	ret = send_mad(&query->sa_query, timeout_ms);
-	if (ret) {
+	if (ret < 0) {
 		*sa_query = NULL;
 		kfree(query->sa_query.mad);
 		kfree(query);
 	}

-	return ret ? ret : query->sa_query.id;
+	return ret;
 }
 EXPORT_SYMBOL(ib_sa_mcmember_rec_query);