From e413a823f60b582af471f0079eb99f50d34b0da7 Mon Sep 17 00:00:00 2001
From: Steve Wise <swise@opengridcomputing.com>
Date: Tue, 23 Apr 2013 16:17:14 +0000
Subject: RDMA/iwcm: Don't touch cmid after dropping reference

The function cm_work_handler() cannot touch the cm_id after it derefs
it, because it might be freed on another concurrent thread.  If there
are more work items queued for this cm_id, then we know there must be
more references because they are added when the work items are queued.
So in the while loop inside cm_work_handler(), after derefing, if the
queue is empty, then exit the function.  Otherwise we know it's safe
to re-acquire the lock.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
---
 drivers/infiniband/core/iwcm.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'drivers/infiniband')

diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index 0bb99bb3880..c47c2034ca7 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -878,6 +878,8 @@ static void cm_work_handler(struct work_struct *_work)
 			}
 			return;
 		}
+		if (empty)
+			return;
 		spin_lock_irqsave(&cm_id_priv->lock, flags);
 	}
 	spin_unlock_irqrestore(&cm_id_priv->lock, flags);
-- 
cgit v1.2.3