Date: Tue, 15 Sep 2015 23:56:31 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r287837 - head/sys/ofed/drivers/infiniband/core Message-ID: <201509152356.t8FNuVqA064569@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Tue Sep 15 23:56:31 2015 New Revision: 287837 URL: https://svnweb.freebsd.org/changeset/base/287837 Log: Ensure that the MAD agent's delayed taskqueue is completely stopped before proceeding. Otherwise, nothing prevents it from running after the MAD agent struct has been been freed, and this results in a use-after-free when the task's ta_pending count is incremented in the callout handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Modified: head/sys/ofed/drivers/infiniband/core/mad.c Modified: head/sys/ofed/drivers/infiniband/core/mad.c ============================================================================== --- head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:44:19 2015 (r287836) +++ head/sys/ofed/drivers/infiniband/core/mad.c Tue Sep 15 23:56:31 2015 (r287837) @@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct */ cancel_mads(mad_agent_priv); port_priv = mad_agent_priv->qp_info->port_priv; - cancel_delayed_work(&mad_agent_priv->timed_work); + cancel_delayed_work_sync(&mad_agent_priv->timed_work); spin_lock_irqsave(&port_priv->reg_lock, flags); remove_mad_reg_req(mad_agent_priv);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509152356.t8FNuVqA064569>