svn commit: r287837 - head/sys/ofed/drivers/infiniband/core
Mark Johnston
markj at FreeBSD.org
Tue Sep 15 23:56:32 UTC 2015
Author: markj
Date: Tue Sep 15 23:56:31 2015
New Revision: 287837
URL: https://svnweb.freebsd.org/changeset/base/287837
Log:
Ensure that the MAD agent's delayed taskqueue is completely stopped
before proceeding. Otherwise, nothing prevents it from running after the
MAD agent struct has been been freed, and this results in a use-after-free
when the task's ta_pending count is incremented in the callout handler.
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/ofed/drivers/infiniband/core/mad.c
Modified: head/sys/ofed/drivers/infiniband/core/mad.c
==============================================================================
--- head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:44:19 2015 (r287836)
+++ head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:56:31 2015 (r287837)
@@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct
*/
cancel_mads(mad_agent_priv);
port_priv = mad_agent_priv->qp_info->port_priv;
- cancel_delayed_work(&mad_agent_priv->timed_work);
+ cancel_delayed_work_sync(&mad_agent_priv->timed_work);
spin_lock_irqsave(&port_priv->reg_lock, flags);
remove_mad_reg_req(mad_agent_priv);
More information about the svn-src-head
mailing list