From 98006b31802021b65b0546ec695172f80c8d637a Mon Sep 17 00:00:00 2001
From: Yishai Hadas <yishaih@mellanox.com>
Date: Wed, 20 Mar 2013 18:00:02 +0200
Subject: [PATCH] mlx4_core: fix ib_uverbs_get_context flow

Fix flow to prevent kernel panic in case of a failure in copy_to_user.

INIT_IB_EVENT_HANDLER must be called to initialize the event handler
list before releasing filp as part of fput.
Otherwise will get a kernel panic at ib_unregister_event_handler
when calling list_del.

Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
(Ported from Mellanox OFED 2.4)

Signed-off-by: Mukesh Kacker <mukesh.kacker@oracle.com>
---
 drivers/infiniband/core/uverbs_cmd.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 651b5619aa18..9d73aa5ec8fb 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -361,12 +361,6 @@ ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file,
 		goto err_fd;
 	}
 
-	if (copy_to_user((void __user *) (unsigned long) cmd.response,
-			 &resp, sizeof resp)) {
-		ret = -EFAULT;
-		goto err_file;
-	}
-
 	file->async_file = filp->private_data;
 
 	INIT_IB_EVENT_HANDLER(&file->event_handler, file->device->ib_dev,
@@ -375,6 +369,11 @@ ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file,
 	if (ret)
 		goto err_file;
 
+	if (copy_to_user((void __user *) (unsigned long) cmd.response,
+			 &resp, sizeof resp)) {
+		ret = -EFAULT;
+		goto err_file;
+	}
 	kref_get(&file->async_file->ref);
 	kref_get(&file->ref);
 	file->ucontext = ucontext;
-- 
2.50.1