From owner-svn-src-head@freebsd.org Tue Sep 15 23:56:32 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B7D29C2D48; Tue, 15 Sep 2015 23:56:32 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F08651D2B; Tue, 15 Sep 2015 23:56:31 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8FNuVl0064570; Tue, 15 Sep 2015 23:56:31 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8FNuVqA064569; Tue, 15 Sep 2015 23:56:31 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201509152356.t8FNuVqA064569@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Tue, 15 Sep 2015 23:56:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r287837 - head/sys/ofed/drivers/infiniband/core X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2015 23:56:32 -0000 Author: markj Date: Tue Sep 15 23:56:31 2015 New Revision: 287837 URL: https://svnweb.freebsd.org/changeset/base/287837 Log: Ensure that the MAD agent's delayed taskqueue is completely stopped before proceeding. Otherwise, nothing prevents it from running after the MAD agent struct has been been freed, and this results in a use-after-free when the task's ta_pending count is incremented in the callout handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Modified: head/sys/ofed/drivers/infiniband/core/mad.c Modified: head/sys/ofed/drivers/infiniband/core/mad.c ============================================================================== --- head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:44:19 2015 (r287836) +++ head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:56:31 2015 (r287837) @@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct */ cancel_mads(mad_agent_priv); port_priv = mad_agent_priv->qp_info->port_priv; - cancel_delayed_work(&mad_agent_priv->timed_work); + cancel_delayed_work_sync(&mad_agent_priv->timed_work); spin_lock_irqsave(&port_priv->reg_lock, flags); remove_mad_reg_req(mad_agent_priv);