git.etherboot.org - mirror/winof/.git/commit

winverbs: fix race in async connect handling

If an application calls Connect or Accept, their IRP is queued to a
work queue for asynchronous processing.  However, if the application
crashes or exits before the work queue can process the IRP, the cleanup
code will call WvEpFree().  This destroys the IbCmId.

When the work queue finally runs, it can access a freed IbCmId.
This is bad.  A similar race exists with the QP and the asynchronous
disconnect processing.  The disconnect processing can access a
the hVerbsQp handle after it has been destroyed.

Additionally, in all three cases, the IRPs assume that the WV provider
is able to process IRPs.  Specifically, they require that the index
tables maintained by the provider are still valid.  References must
be held on the WV provider until the IRPs finish their processing to
ensure this.

Fix invalid accesses to the IbCmId and hVerbsQp handles by locking
around their use after valid state checks.  In the case of the QP, we
add a guarded mutex for synchronization purposes and use that in place
where the PD mutex had been used.

Signed-off-by: Sean Hefty <sean.hefty@intel.com>
git-svn-id: svn://openib.tc.cornell.edu/gen1/trunk@2410 ad392aa1-c5ef-ae45-8dd8-e69d62a5ef86

author	shefty <shefty@ad392aa1-c5ef-ae45-8dd8-e69d62a5ef86>
	Wed, 2 Sep 2009 15:08:17 +0000 (15:08 +0000)
committer	shefty <shefty@ad392aa1-c5ef-ae45-8dd8-e69d62a5ef86>
	Wed, 2 Sep 2009 15:08:17 +0000 (15:08 +0000)
commit	62f78ebeefa4e85b8cb85cbb573fdf0bc1e95957
tree	4242cf2aea8fd92c92d41047d7d61d00d1618465	tree \| snapshot
parent	728ee457cc2d8a0b845fbe3752e45dfd576d5328	commit \| diff

core/winverbs/kernel/wv_ep.c		diff \| blob \| history
core/winverbs/kernel/wv_ep.h		diff \| blob \| history
core/winverbs/kernel/wv_qp.c		diff \| blob \| history
core/winverbs/kernel/wv_qp.h		diff \| blob \| history