ibal: sync QP destruction and device close

Make QP destruction synchronous to ensure that no callbacks are
in progress for a QP after dapl has destroyed it.  This fixes a
use after free error accessing the dapl ep structure from a qp
callback that results in an application crash.

Signed-off-by: Sean Hefty <sean.hefty@intel.com>

diff --git a/dapl/ibal/dapl_ibal_qp.c b/dapl/ibal/dapl_ibal_qp.c
index f52f5daf62609327db4d56a65510e89470a852dd..e843829dad2ba42689b22df9acc89a57f72d0b35 100644 (file)
--- a/dapl/ibal/dapl_ibal_qp.c
+++ b/dapl/ibal/dapl_ibal_qp.c
@@ -318,23 +318,21 @@ dapls_ib_qp_free (
         IN  DAPL_EP                *ep_ptr )
 {
 
-       ib_qp_handle_t          qp_handle;
        UNREFERENCED_PARAMETER(ia_ptr);
 
        dapl_dbg_log (DAPL_DBG_TYPE_EP, "--> DsQF: free %p, state %s\n", 
                       ep_ptr->qp_handle,
                       ib_get_port_state_str(ep_ptr->qp_state));
 
-       if (( ep_ptr->qp_handle != IB_INVALID_HANDLE ) &&
-           ( ep_ptr->qp_state != DAPL_QP_STATE_UNATTACHED ))
+       dapl_os_lock(&ep_ptr->header.lock);
+       if (( ep_ptr->qp_handle != IB_INVALID_HANDLE ))
        {
-               qp_handle = ep_ptr->qp_handle;
-               ep_ptr->qp_handle = IB_INVALID_HANDLE;
-               ep_ptr->qp_state = DAPL_QP_STATE_UNATTACHED;
-               ib_destroy_qp ( qp_handle, NULL /* callback */);
+               ib_destroy_qp ( ep_ptr->qp_handle, ib_sync_destroy );
                dapl_dbg_log (DAPL_DBG_TYPE_EP, "--> DsQF: freed QP %p\n",
-                               qp_handle ); 
+                               ep_ptr->qp_handle ); 
+               ep_ptr->qp_handle = IB_INVALID_HANDLE;
        }
+       dapl_os_unlock(&ep_ptr->header.lock);
 
     return DAT_SUCCESS;
 }

diff --git a/dapl/ibal/dapl_ibal_util.c b/dapl/ibal/dapl_ibal_util.c
index 7f9b819cc1dd0c96d2e7c490de731299111b3fdf..0852df2b507d068dd2637061ebef78e61c375310 100644 (file)
--- a/dapl/ibal/dapl_ibal_util.c
+++ b/dapl/ibal/dapl_ibal_util.c
@@ -913,14 +913,14 @@ DAT_RETURN dapls_ib_close_hca ( IN  DAPL_HCA  *p_hca )
      */
     REMOVE_REFERENCE (&p_ca->refs);
 
+    (void) ib_close_ca (p_ca->h_ca, ib_sync_destroy);
+
     cl_spinlock_destroy (&p_ca->port_lock);
     cl_spinlock_destroy (&p_ca->evd_cb_lock);
 
     if (p_ca->p_ca_attr)
         dapl_os_free (p_ca->p_ca_attr, sizeof (ib_ca_attr_t));
 
-    (void) ib_close_ca (p_ca->h_ca, NULL /* close_callback */);
-
     p_hca->ib_hca_handle = IB_INVALID_HANDLE;
     dapl_os_free (p_ca, sizeof (dapl_ibal_ca_t));