From 8dc08e13f399e0fef7a6dcde80995d0f415b22d1 Mon Sep 17 00:00:00 2001 From: Eldad Zinger Date: Wed, 20 Oct 2010 17:14:35 +0200 Subject: [PATCH] sdp: fix for CMA reference count When sdp_destroy_work() is invoked (due to the cma handler), but "ssk->cma_timewait_timeout == 0", a socket reference was putted even though it was never taken. This can happen in 2 scenarios: 1. sdp_destroy_work() locked the socket before sdp_close() 2. sdp_destroy_work() locked the socket after sdp_cma_timewait_timeout_work() Signed-off-by: Eldad Zinger --- drivers/infiniband/ulp/sdp/sdp_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/sdp/sdp_main.c b/drivers/infiniband/ulp/sdp/sdp_main.c index fb47133cfdde..827586d3514e 100644 --- a/drivers/infiniband/ulp/sdp/sdp_main.c +++ b/drivers/infiniband/ulp/sdp/sdp_main.c @@ -636,7 +636,7 @@ static void sdp_cma_timewait_timeout_work(struct work_struct *work) static int sdp_cancel_cma_timewait_timeout(struct sdp_sock *ssk) { if (!ssk->cma_timewait_timeout) - return 1; + return 0; ssk->cma_timewait_timeout = 0; return cancel_delayed_work(&ssk->cma_timewait_work); @@ -1042,12 +1042,12 @@ static void sdp_destroy_work(struct work_struct *work) sdp_cancel_dreq_wait_timeout(ssk); + lock_sock(sk); if (sk->sk_state == TCP_TIME_WAIT) { if (sdp_cancel_cma_timewait_timeout(ssk)) sock_put(sk, SOCK_REF_CMA); } - lock_sock(sk); /* In normal close current state is TCP_TIME_WAIT or TCP_CLOSE but if a CM connection is dropped below our legs state could be any state */ -- 2.50.1