Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Sep 2015 23:56:31 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r287837 - head/sys/ofed/drivers/infiniband/core
Message-ID:  <201509152356.t8FNuVqA064569@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: markj
Date: Tue Sep 15 23:56:31 2015
New Revision: 287837
URL: https://svnweb.freebsd.org/changeset/base/287837

Log:
  Ensure that the MAD agent's delayed taskqueue is completely stopped
  before proceeding. Otherwise, nothing prevents it from running after the
  MAD agent struct has been been freed, and this results in a use-after-free
  when the task's ta_pending count is incremented in the callout handler.
  
  MFC after:	2 weeks
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sys/ofed/drivers/infiniband/core/mad.c

Modified: head/sys/ofed/drivers/infiniband/core/mad.c
==============================================================================
--- head/sys/ofed/drivers/infiniband/core/mad.c	Tue Sep 15 23:44:19 2015	(r287836)
+++ head/sys/ofed/drivers/infiniband/core/mad.c	Tue Sep 15 23:56:31 2015	(r287837)
@@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct 
 	 */
 	cancel_mads(mad_agent_priv);
 	port_priv = mad_agent_priv->qp_info->port_priv;
-	cancel_delayed_work(&mad_agent_priv->timed_work);
+	cancel_delayed_work_sync(&mad_agent_priv->timed_work);
 
 	spin_lock_irqsave(&port_priv->reg_lock, flags);
 	remove_mad_reg_req(mad_agent_priv);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509152356.t8FNuVqA064569>