From: Steve Wise <swise@opengridcomputing.com>
Date: Thu, 21 Nov 2013 21:40:14 +0000 (-0600)
Subject: RDMA/iwcm: Don't touch cm_id after deref in rem_ref
X-Git-Tag: v3.13-rc6~12^2^3
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b59ba609bb61e4fa2ecca7827f170ac07842d64;p=pandora-kernel.git

RDMA/iwcm: Don't touch cm_id after deref in rem_ref

rem_ref() calls iwcm_deref_id(), which will wake up any blockers on
cm_id_priv->destroy_comp if the refcnt hits 0.  That will unblock
someone in iw_destroy_cm_id() which will free the cmid.  If that
happens before rem_ref() calls test_bit(IWCM_F_CALLBACK_DESTROY,
&cm_id_priv->flags), then the test_bit() will touch freed memory.

The fix is to read the bit first, then deref.  We should never be in
iw_destroy_cm_id() with IWCM_F_CALLBACK_DESTROY set, and there is a
BUG_ON() to make sure of that.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
---

Reading git-diff-tree failed