summaryrefslogtreecommitdiff
path: root/drivers/infiniband/core/ucm.c
diff options
context:
space:
mode:
authorSean Hefty <mshefty@ichips.intel.com>2006-05-12 14:57:52 -0700
committerRoland Dreier <rolandd@cisco.com>2006-05-12 14:57:52 -0700
commit1b52fa98edd1c3e663ea4a06519e3d20976084a8 (patch)
tree178d5fd1fe2230b39f49cd36f481024e49878eb1 /drivers/infiniband/core/ucm.c
parent6f4bb3d8205d943acafa2f536f37131777524b67 (diff)
downloadlwn-1b52fa98edd1c3e663ea4a06519e3d20976084a8.tar.gz
lwn-1b52fa98edd1c3e663ea4a06519e3d20976084a8.zip
IB: refcount race fixes
Fix race condition during destruction calls to avoid possibility of accessing object after it has been freed. Instead of waking up a wait queue directly, which is susceptible to a race where the object is freed between the reference count going to 0 and the wake_up(), use a completion to wait in the function doing the freeing. Signed-off-by: Sean Hefty <sean.hefty@intel.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband/core/ucm.c')
-rw-r--r--drivers/infiniband/core/ucm.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
index f6a05965a4e8..9164a09b6ccd 100644
--- a/drivers/infiniband/core/ucm.c
+++ b/drivers/infiniband/core/ucm.c
@@ -32,6 +32,8 @@
*
* $Id: ucm.c 2594 2005-06-13 19:46:02Z libor $
*/
+
+#include <linux/completion.h>
#include <linux/init.h>
#include <linux/fs.h>
#include <linux/module.h>
@@ -72,7 +74,7 @@ struct ib_ucm_file {
struct ib_ucm_context {
int id;
- wait_queue_head_t wait;
+ struct completion comp;
atomic_t ref;
int events_reported;
@@ -138,7 +140,7 @@ static struct ib_ucm_context *ib_ucm_ctx_get(struct ib_ucm_file *file, int id)
static void ib_ucm_ctx_put(struct ib_ucm_context *ctx)
{
if (atomic_dec_and_test(&ctx->ref))
- wake_up(&ctx->wait);
+ complete(&ctx->comp);
}
static inline int ib_ucm_new_cm_id(int event)
@@ -178,7 +180,7 @@ static struct ib_ucm_context *ib_ucm_ctx_alloc(struct ib_ucm_file *file)
return NULL;
atomic_set(&ctx->ref, 1);
- init_waitqueue_head(&ctx->wait);
+ init_completion(&ctx->comp);
ctx->file = file;
INIT_LIST_HEAD(&ctx->events);
@@ -586,8 +588,8 @@ static ssize_t ib_ucm_destroy_id(struct ib_ucm_file *file,
if (IS_ERR(ctx))
return PTR_ERR(ctx);
- atomic_dec(&ctx->ref);
- wait_event(ctx->wait, !atomic_read(&ctx->ref));
+ ib_ucm_ctx_put(ctx);
+ wait_for_completion(&ctx->comp);
/* No new events will be generated after destroying the cm_id. */
ib_destroy_cm_id(ctx->cm_id);