sdp: fix for race condition with SrcAvailCancel handling

Tx complition resets "rdma_inflight->busy" and wakes up the recvmsg().
But rx_workqueue might get the lock of the socket before recvmsg(), so
SrcAvailCancel might be polled from the rx_cq, and since "busy = 0",
rx_sa wil be freed (w/o freeing umem&fmr).

Signed-off-by: Eldad Zinger <eldadz@mellanox.co.il>

diff --git a/drivers/infiniband/ulp/sdp/sdp_rx.c b/drivers/infiniband/ulp/sdp/sdp_rx.c
index a21b2ffa7bea54451cb93d12bf066004fc5c3e5f..48f4ab6eee241544d6f185bb1b12a01f3ac40dda 100644 (file)
--- a/drivers/infiniband/ulp/sdp/sdp_rx.c
+++ b/drivers/infiniband/ulp/sdp/sdp_rx.c
@@ -510,8 +510,7 @@ static int sdp_process_rx_ctl_skb(struct sdp_sock *ssk, struct sk_buff *skb)
                break;
        case SDP_MID_SRCAVAIL_CANCEL:
                if (ssk->rx_sa && after(ntohl(h->mseq), ssk->rx_sa->mseq) &&
-                               (!ssk->tx_ring.rdma_inflight ||
-                                !ssk->tx_ring.rdma_inflight->busy)) {
+                               !ssk->tx_ring.rdma_inflight) {
                        sdp_dbg(sk, "Handling SrcAvailCancel - post SendSM\n");
                        RX_SRCAVAIL_STATE(ssk->rx_sa->skb) = NULL;
                        kfree(ssk->rx_sa);