From: Hal Rosenstock Fixes an issue processing a sent MAD after it has timed out or been canceled. The race occurs when a response MAD matches with the send request. The request could time out or be canceled after the response MAD matches with the request, but before the request completion can be processed. Signed-off-by: Sean Hefty Signed-off-by: Hal Rosenstock Cc: Roland Dreier Signed-off-by: Andrew Morton --- drivers/infiniband/core/mad.c | 14 ++++++++++++-- drivers/infiniband/core/mad_priv.h | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) diff -puN drivers/infiniband/core/mad.c~ib-fix-timeout-cancelled-mad-handling drivers/infiniband/core/mad.c --- 25/drivers/infiniband/core/mad.c~ib-fix-timeout-cancelled-mad-handling Mon Jul 11 17:06:25 2005 +++ 25-akpm/drivers/infiniband/core/mad.c Mon Jul 11 17:06:25 2005 @@ -341,6 +341,7 @@ struct ib_mad_agent *ib_register_mad_age spin_lock_init(&mad_agent_priv->lock); INIT_LIST_HEAD(&mad_agent_priv->send_list); INIT_LIST_HEAD(&mad_agent_priv->wait_list); + INIT_LIST_HEAD(&mad_agent_priv->done_list); INIT_WORK(&mad_agent_priv->timed_work, timeout_sends, mad_agent_priv); INIT_LIST_HEAD(&mad_agent_priv->local_list); INIT_WORK(&mad_agent_priv->local_work, local_completions, @@ -1559,6 +1560,16 @@ find_send_req(struct ib_mad_agent_privat return NULL; } +static void ib_mark_req_done(struct ib_mad_send_wr_private *mad_send_wr) +{ + mad_send_wr->timeout = 0; + if (mad_send_wr->refcount == 1) { + list_del(&mad_send_wr->agent_list); + list_add_tail(&mad_send_wr->agent_list, + &mad_send_wr->mad_agent_priv->done_list); + } +} + static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv, struct ib_mad_recv_wc *mad_recv_wc) { @@ -1580,8 +1591,7 @@ static void ib_mad_complete_recv(struct wake_up(&mad_agent_priv->wait); return; } - /* Timeout = 0 means that we won't wait for a response */ - mad_send_wr->timeout = 0; + ib_mark_req_done(mad_send_wr); spin_unlock_irqrestore(&mad_agent_priv->lock, flags); /* Defined behavior is to complete response before request */ diff -puN drivers/infiniband/core/mad_priv.h~ib-fix-timeout-cancelled-mad-handling drivers/infiniband/core/mad_priv.h --- 25/drivers/infiniband/core/mad_priv.h~ib-fix-timeout-cancelled-mad-handling Mon Jul 11 17:06:25 2005 +++ 25-akpm/drivers/infiniband/core/mad_priv.h Mon Jul 11 17:06:25 2005 @@ -92,6 +92,7 @@ struct ib_mad_agent_private { spinlock_t lock; struct list_head send_list; struct list_head wait_list; + struct list_head done_list; struct work_struct timed_work; unsigned long timeout; struct list_head local_list; _