diff options
| author | Sean Hefty <mshefty@ichips.intel.com> | 2006-05-12 17:57:52 -0400 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2006-05-12 17:57:52 -0400 |
| commit | 1b52fa98edd1c3e663ea4a06519e3d20976084a8 (patch) | |
| tree | 178d5fd1fe2230b39f49cd36f481024e49878eb1 /drivers/infiniband/core/ucm.c | |
| parent | 6f4bb3d8205d943acafa2f536f37131777524b67 (diff) | |
IB: refcount race fixes
Fix race condition during destruction calls to avoid possibility of
accessing object after it has been freed. Instead of waking up a wait
queue directly, which is susceptible to a race where the object is
freed between the reference count going to 0 and the wake_up(), use a
completion to wait in the function doing the freeing.
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/core/ucm.c')
| -rw-r--r-- | drivers/infiniband/core/ucm.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c index f6a05965a4e..9164a09b6cc 100644 --- a/drivers/infiniband/core/ucm.c +++ b/drivers/infiniband/core/ucm.c | |||
| @@ -32,6 +32,8 @@ | |||
| 32 | * | 32 | * |
| 33 | * $Id: ucm.c 2594 2005-06-13 19:46:02Z libor $ | 33 | * $Id: ucm.c 2594 2005-06-13 19:46:02Z libor $ |
| 34 | */ | 34 | */ |
| 35 | |||
| 36 | #include <linux/completion.h> | ||
| 35 | #include <linux/init.h> | 37 | #include <linux/init.h> |
| 36 | #include <linux/fs.h> | 38 | #include <linux/fs.h> |
| 37 | #include <linux/module.h> | 39 | #include <linux/module.h> |
| @@ -72,7 +74,7 @@ struct ib_ucm_file { | |||
| 72 | 74 | ||
| 73 | struct ib_ucm_context { | 75 | struct ib_ucm_context { |
| 74 | int id; | 76 | int id; |
| 75 | wait_queue_head_t wait; | 77 | struct completion comp; |
| 76 | atomic_t ref; | 78 | atomic_t ref; |
| 77 | int events_reported; | 79 | int events_reported; |
| 78 | 80 | ||
| @@ -138,7 +140,7 @@ static struct ib_ucm_context *ib_ucm_ctx_get(struct ib_ucm_file *file, int id) | |||
| 138 | static void ib_ucm_ctx_put(struct ib_ucm_context *ctx) | 140 | static void ib_ucm_ctx_put(struct ib_ucm_context *ctx) |
| 139 | { | 141 | { |
| 140 | if (atomic_dec_and_test(&ctx->ref)) | 142 | if (atomic_dec_and_test(&ctx->ref)) |
| 141 | wake_up(&ctx->wait); | 143 | complete(&ctx->comp); |
| 142 | } | 144 | } |
| 143 | 145 | ||
| 144 | static inline int ib_ucm_new_cm_id(int event) | 146 | static inline int ib_ucm_new_cm_id(int event) |
| @@ -178,7 +180,7 @@ static struct ib_ucm_context *ib_ucm_ctx_alloc(struct ib_ucm_file *file) | |||
| 178 | return NULL; | 180 | return NULL; |
| 179 | 181 | ||
| 180 | atomic_set(&ctx->ref, 1); | 182 | atomic_set(&ctx->ref, 1); |
| 181 | init_waitqueue_head(&ctx->wait); | 183 | init_completion(&ctx->comp); |
| 182 | ctx->file = file; | 184 | ctx->file = file; |
| 183 | INIT_LIST_HEAD(&ctx->events); | 185 | INIT_LIST_HEAD(&ctx->events); |
| 184 | 186 | ||
| @@ -586,8 +588,8 @@ static ssize_t ib_ucm_destroy_id(struct ib_ucm_file *file, | |||
| 586 | if (IS_ERR(ctx)) | 588 | if (IS_ERR(ctx)) |
| 587 | return PTR_ERR(ctx); | 589 | return PTR_ERR(ctx); |
| 588 | 590 | ||
| 589 | atomic_dec(&ctx->ref); | 591 | ib_ucm_ctx_put(ctx); |
| 590 | wait_event(ctx->wait, !atomic_read(&ctx->ref)); | 592 | wait_for_completion(&ctx->comp); |
| 591 | 593 | ||
| 592 | /* No new events will be generated after destroying the cm_id. */ | 594 | /* No new events will be generated after destroying the cm_id. */ |
| 593 | ib_destroy_cm_id(ctx->cm_id); | 595 | ib_destroy_cm_id(ctx->cm_id); |