From 9f12103789bbddb128cd089639a49f6326c5a7e4 Mon Sep 17 00:00:00 2001 From: Sean Hefty Date: Thu, 9 Sep 2010 10:41:28 -0700 Subject: [PATCH] dapl/ibal: wait for qp destroy callback before freeing ep Make QP destruction 'synchronous' to ensure that no callbacks are in progress for a QP after dapl has destroyed it. This fixes a use after free error accessing the dapl ep structure from a qp callback that results in an application crash. Signed-off-by: Sean Hefty --- trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c b/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c index f52f5daf..3a693ef2 100644 --- a/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c +++ b/trunk/ulp/dapl2/dapl/ibal/dapl_ibal_qp.c @@ -325,16 +325,18 @@ dapls_ib_qp_free ( ep_ptr->qp_handle, ib_get_port_state_str(ep_ptr->qp_state)); + dapl_os_lock(&ep_ptr->header.lock); if (( ep_ptr->qp_handle != IB_INVALID_HANDLE ) && ( ep_ptr->qp_state != DAPL_QP_STATE_UNATTACHED )) { qp_handle = ep_ptr->qp_handle; ep_ptr->qp_handle = IB_INVALID_HANDLE; ep_ptr->qp_state = DAPL_QP_STATE_UNATTACHED; - ib_destroy_qp ( qp_handle, NULL /* callback */); + ib_destroy_qp ( qp_handle, ib_sync_destroy ); dapl_dbg_log (DAPL_DBG_TYPE_EP, "--> DsQF: freed QP %p\n", qp_handle ); } + dapl_os_unlock(&ep_ptr->header.lock); return DAT_SUCCESS; } -- 2.46.0