Author: markj
Date: Tue Sep 15 23:56:31 2015
New Revision: 287837
URL: https://svnweb.freebsd.org/changeset/base/287837
Log:
Ensure that the MAD agent's delayed taskqueue is completely stopped
before proceeding. Otherwise, nothing prevents it from running after the
MAD agent struct has been been freed, and this results in a use-after-free
when the task's ta_pending count is incremented in the callout handler.
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/ofed/drivers/infiniband/core/mad.c
Modified: head/sys/ofed/drivers/infiniband/core/mad.c
==============================================================================
--- head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:44:19 2015
(r287836)
+++ head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:56:31 2015
(r287837)
@@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct
*/
cancel_mads(mad_agent_priv);
port_priv = mad_agent_priv->qp_info->port_priv;
- cancel_delayed_work(&mad_agent_priv->timed_work);
+ cancel_delayed_work_sync(&mad_agent_priv->timed_work);
spin_lock_irqsave(&port_priv->reg_lock, flags);
remove_mad_reg_req(mad_agent_priv);
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
