From 92c076ee0045504c7fbab30fe5af6b66df2a22a9 Mon Sep 17 00:00:00 2001
From: Eldad Zinger <eldadz@mellanox.co.il>
Date: Thu, 5 Aug 2010 09:31:27 +0300
Subject: [PATCH] sdp: BUG2092 - ib_device field in sdp_sock is reset not in
 user-context

ib_device field of sdp_sock is NULL after either cases:
- cma handler resetting the socket
- device removal
Both cases are not in user-context.

Signed-off-by: Eldad Zinger <eldadz@mellanox.co.il>
---
 drivers/infiniband/ulp/sdp/sdp_cma.c   | 9 +++++----
 drivers/infiniband/ulp/sdp/sdp_zcopy.c | 6 ++++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/infiniband/ulp/sdp/sdp_cma.c b/drivers/infiniband/ulp/sdp/sdp_cma.c
index cc44fb7b4c74..6cc6a7cd6c7f 100644
--- a/drivers/infiniband/ulp/sdp/sdp_cma.c
+++ b/drivers/infiniband/ulp/sdp/sdp_cma.c
@@ -172,22 +172,19 @@ static int sdp_connect_handler(struct sock *sk, struct rdma_cm_id *id,
 	inet_sk(child)->dport = dst_addr->sin_port;
 	inet_sk(child)->daddr = dst_addr->sin_addr.s_addr;
 
-	bh_unlock_sock(child);
 	__sock_put(child, SOCK_REF_CLONE);
 
 	down_read(&device_removal_lock);
 
 	rc = sdp_init_qp(child, id);
 	if (rc) {
+		bh_unlock_sock(child);
 		up_read(&device_removal_lock);
 		sdp_sk(child)->destructed_already = 1;
 		sk_free(child);
 		return rc;
 	}
 
-	sdp_add_sock(sdp_sk(child));
-	up_read(&device_removal_lock);
-
 	sdp_sk(child)->max_bufs = ntohs(h->bsdh.bufs);
 	atomic_set(&sdp_sk(child)->tx_ring.credits, sdp_sk(child)->max_bufs);
 
@@ -205,6 +202,10 @@ static int sdp_connect_handler(struct sock *sk, struct rdma_cm_id *id,
 			&sdp_sk(sk)->backlog_queue);
 	sdp_sk(child)->parent = sk;
 
+	bh_unlock_sock(child);
+	sdp_add_sock(sdp_sk(child));
+	up_read(&device_removal_lock);
+
 	sdp_exch_state(child, TCPF_LISTEN | TCPF_CLOSE, TCP_SYN_RECV);
 
 	/* child->sk_write_space(child); */
diff --git a/drivers/infiniband/ulp/sdp/sdp_zcopy.c b/drivers/infiniband/ulp/sdp/sdp_zcopy.c
index 6608d34a649b..89aa51740936 100644
--- a/drivers/infiniband/ulp/sdp/sdp_zcopy.c
+++ b/drivers/infiniband/ulp/sdp/sdp_zcopy.c
@@ -427,13 +427,16 @@ static int sdp_alloc_fmr(struct sock *sk, void *uaddr, size_t len,
 {
 	struct ib_pool_fmr *fmr;
 	struct ib_umem *umem;
-	struct ib_device *dev;
+	struct ib_device *dev = sdp_sk(sk)->ib_device;
 	u64 *pages;
 	struct ib_umem_chunk *chunk;
 	int n, j, k;
 	int rc = 0;
 	unsigned long max_lockable_bytes;
 
+	if (unlikely(!dev))
+		return -ENODEV;
+
 	if (unlikely(len > SDP_MAX_RDMA_READ_LEN)) {
 		sdp_dbg_data(sk, "len:0x%zx > FMR_SIZE: 0x%lx\n",
 			len, SDP_MAX_RDMA_READ_LEN);
@@ -472,7 +475,6 @@ static int sdp_alloc_fmr(struct sock *sk, void *uaddr, size_t len,
 
 	n = 0;
 
-	dev = sdp_sk(sk)->ib_device;
 	list_for_each_entry(chunk, &umem->chunk_list, list) {
 		for (j = 0; j < chunk->nmap; ++j) {
 			len = ib_sg_dma_len(dev,
-- 
2.50.1