git.baikalelectronics.ru Git - kernel.git/commit

author	Jack Morgenstein <jackm@dev.mellanox.co.il>
	Tue, 23 Sep 2014 09:38:26 +0000 (12:38 +0300)
committer	Roland Dreier <roland@purestorage.com>
	Tue, 14 Oct 2014 07:30:56 +0000 (00:30 -0700)
commit	511ccd3753bf71e7a725fd285cfccd043e385a82
tree	df2e9a410250723d03cf8f68160abb5503f8b3c8	tree \| snapshot
parent	2011dce9322c423a7c4b6abbb7413d5ed6031609	commit \| diff

IB/core: Fix XRC race condition in ib_uverbs_open_qp

In ib_uverbs_open_qp, the sharable xrc target qp is created as a
"pseudo" qp and added to a list of qp's sharing the same physical
QP.  This is done before the "pseudo" qp is assigned a uobject.

There is a race condition here if an async event arrives at the
physical qp.  If the event is handled after the pseudo qp is added to
the list, but before it is assigned a uobject, the kernel crashes in
ib_uverbs_qp_event_handler, due to trying to dereference a NULL
uobject pointer.

Note that simply checking for non-NULL is not enough, due to error
flows in ib_uverbs_open_qp.  If the failure is after assigning the
uobject, but before the qp has fully been created, we still have a
problem.

Thus, in ib_uverbs_qp_event_handler, we test that the uobject is
present, and also that it is live.

Reported-by: Matthew Finlay <matt@mellanox.com>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>