dapl/ibal: wait for qp destroy callback before freeing ep

Make QP destruction 'synchronous' to ensure that no callbacks are
in progress for a QP after dapl has destroyed it.  This fixes a
use after free error accessing the dapl ep structure from a qp
callback that results in an application crash.

Signed-off-by: Sean Hefty <sean.hefty@intel.com>

diff --git a/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c b/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c
index f52f5daf62609327db4d56a65510e89470a852dd..3a693ef215dcab584aea968ab904556bd3ae7eb6 100644 (file)
--- a/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c
+++ b/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c
@@ -325,16 +325,18 @@ dapls_ib_qp_free (
                       ep_ptr->qp_handle,
                       ib_get_port_state_str(ep_ptr->qp_state));
 
+       dapl_os_lock(&ep_ptr->header.lock);
        if (( ep_ptr->qp_handle != IB_INVALID_HANDLE ) &&
            ( ep_ptr->qp_state != DAPL_QP_STATE_UNATTACHED ))
        {
                qp_handle = ep_ptr->qp_handle;
                ep_ptr->qp_handle = IB_INVALID_HANDLE;
                ep_ptr->qp_state = DAPL_QP_STATE_UNATTACHED;
-               ib_destroy_qp ( qp_handle, NULL /* callback */);
+               ib_destroy_qp ( qp_handle, ib_sync_destroy );
                dapl_dbg_log (DAPL_DBG_TYPE_EP, "--> DsQF: freed QP %p\n",
                                qp_handle ); 
        }
+       dapl_os_unlock(&ep_ptr->header.lock);
 
     return DAT_SUCCESS;
 }