sdp: fix for CMA reference count

When sdp_destroy_work() is invoked (due to the cma handler),
but "ssk->cma_timewait_timeout == 0", a socket reference was putted even though
it was never taken. This can happen in 2 scenarios:
1. sdp_destroy_work() locked the socket before sdp_close()
2. sdp_destroy_work() locked the socket after sdp_cma_timewait_timeout_work()

Signed-off-by: Eldad Zinger <eldadz@mellanox.co.il>

diff --git a/drivers/infiniband/ulp/sdp/sdp_main.c b/drivers/infiniband/ulp/sdp/sdp_main.c
index fb47133cfdde9cfb696c6b950058ea6c43a152f5..827586d3514e709a59ac35fa86b461d1541b0417 100644 (file)
--- a/drivers/infiniband/ulp/sdp/sdp_main.c
+++ b/drivers/infiniband/ulp/sdp/sdp_main.c
@@ -636,7 +636,7 @@ static void sdp_cma_timewait_timeout_work(struct work_struct *work)
 static int sdp_cancel_cma_timewait_timeout(struct sdp_sock *ssk)
 {
        if (!ssk->cma_timewait_timeout)
-               return 1;
+               return 0;
 
        ssk->cma_timewait_timeout = 0;
        return cancel_delayed_work(&ssk->cma_timewait_work);
@@ -1042,12 +1042,12 @@ static void sdp_destroy_work(struct work_struct *work)
 
        sdp_cancel_dreq_wait_timeout(ssk);
 
+       lock_sock(sk);
        if (sk->sk_state == TCP_TIME_WAIT) {
                if (sdp_cancel_cma_timewait_timeout(ssk))
                        sock_put(sk, SOCK_REF_CMA);
        }
 
-       lock_sock(sk);
        /* In normal close current state is TCP_TIME_WAIT or TCP_CLOSE
           but if a CM connection is dropped below our legs state could
           be any state */