From: Eldad Zinger <eldadz@mellanox.co.il>
Date: Tue, 19 Oct 2010 14:52:09 +0000 (+0200)
Subject: sdp: fix for race condition with SrcAvailCancel handling
X-Git-Tag: v4.1.12-92~264^2~5^2~82
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=788b897093dc61e0660abb5f7efc602edd214c11;p=users%2Fjedix%2Flinux-maple.git

sdp: fix for race condition with SrcAvailCancel handling

Tx complition resets "rdma_inflight->busy" and wakes up the recvmsg().
But rx_workqueue might get the lock of the socket before recvmsg(), so
SrcAvailCancel might be polled from the rx_cq, and since "busy = 0",
rx_sa wil be freed (w/o freeing umem&fmr).

Signed-off-by: Eldad Zinger <eldadz@mellanox.co.il>
---

diff --git a/drivers/infiniband/ulp/sdp/sdp_rx.c b/drivers/infiniband/ulp/sdp/sdp_rx.c
index a21b2ffa7bea5..48f4ab6eee241 100644
--- a/drivers/infiniband/ulp/sdp/sdp_rx.c
+++ b/drivers/infiniband/ulp/sdp/sdp_rx.c
@@ -510,8 +510,7 @@ static int sdp_process_rx_ctl_skb(struct sdp_sock *ssk, struct sk_buff *skb)
 		break;
 	case SDP_MID_SRCAVAIL_CANCEL:
 		if (ssk->rx_sa && after(ntohl(h->mseq), ssk->rx_sa->mseq) &&
-				(!ssk->tx_ring.rdma_inflight ||
-				 !ssk->tx_ring.rdma_inflight->busy)) {
+				!ssk->tx_ring.rdma_inflight) {
 			sdp_dbg(sk, "Handling SrcAvailCancel - post SendSM\n");
 			RX_SRCAVAIL_STATE(ssk->rx_sa->skb) = NULL;
 			kfree(ssk->rx_sa);