[IB] umad: avoid potential deadlock when unregistering MAD agents

ib_unregister_mad_agent() completes all pending MAD sends and waits for the agent's send_handler routine to return. umad's send_handler() calls queue_packet(), which does down_read() on the port mutex to look up the agent ID. This means that the port mutex cannot be held for writing while calling ib_unregister_mad_agent(), or else it will deadlock. This patch fixes all the calls to ib_unregister_mad_agent() in the umad module to avoid this deadlock. Signed-off-by: Roland Dreier <rolandd@cisco.com>

[IB] umad: avoid potential deadlock when unregistering MAD agents
ib_unregister_mad_agent() completes all pending MAD sends and waits for the agent's send_handler routine to return. umad's send_handler() calls queue_packet(), which does down_read() on the port mutex to look up the agent ID. This means that the port mutex cannot be held for writing while calling ib_unregister_mad_agent(), or else it will deadlock. This patch fixes all the calls to ib_unregister_mad_agent() in the umad module to avoid this deadlock. Signed-off-by: Roland Dreier <rolandd@cisco.com>
2f76e829 · Roland Dreier · 1732b0ef · 2f76e829
Commit 2f76e829 authored Nov 07, 2005 by Roland Dreier
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 12 deletions

drivers/infiniband/core/user_mad.c drivers/infiniband/core/user_mad.c +17 -12

No files found.
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -505,8 +505,6 @@ static int ib_umad_reg_agent(struct ib_umad_file *file, unsigned long arg)
 		goto out;
 	}
-	file->agent[agent_id] = agent;
 	file->mr[agent_id] = ib_get_dma_mr(agent->qp->pd, IB_ACCESS_LOCAL_WRITE);
 	if (IS_ERR(file->mr[agent_id])) {
 		ret = -ENOMEM;
@@ -519,14 +517,15 @@ static int ib_umad_reg_agent(struct ib_umad_file *file, unsigned long arg)
 		goto err_mr;
 	}
+	file->agent[agent_id] = agent;
 	ret = 0;
 	goto out;
 err_mr:
 	ib_dereg_mr(file->mr[agent_id]);
 err:
-	file->agent[agent_id] = NULL;
 	ib_unregister_mad_agent(agent);
 out:
@@ -536,27 +535,33 @@ static int ib_umad_reg_agent(struct ib_umad_file *file, unsigned long arg)
 static int ib_umad_unreg_agent(struct ib_umad_file *file, unsigned long arg)
 {
+	struct ib_mad_agent *agent = NULL;
+	struct ib_mr *mr = NULL;
 	u32 id;
 	int ret = 0;
-	down_write(&file->port->mutex);
+	if (get_user(id, (u32 __user *) arg))
+		return -EFAULT;
-	if (get_user(id, (u32 __user *) arg)) {
+	down_write(&file->port->mutex);
-		ret = -EFAULT;
-		goto out;
-	}
 	if (id < 0 || id >= IB_UMAD_MAX_AGENTS || !file->agent[id]) {
 		ret = -EINVAL;
 		goto out;
 	}
-	ib_dereg_mr(file->mr[id]);
+	agent = file->agent[id];
-	ib_unregister_mad_agent(file->agent[id]);
+	mr    = file->mr[id];
 	file->agent[id] = NULL;
 out:
 	up_write(&file->port->mutex);
+	if (agent) {
+		ib_unregister_mad_agent(agent);
+		ib_dereg_mr(mr);
+	}
 	return ret;
 }
@@ -623,16 +628,16 @@ static int ib_umad_close(struct inode *inode, struct file *filp)
 	struct ib_umad_packet *packet, *tmp;
 	int i;
-	down_write(&file->port->mutex);
 	for (i = 0; i < IB_UMAD_MAX_AGENTS; ++i)
 		if (file->agent[i]) {
-			ib_dereg_mr(file->mr[i]);
 			ib_unregister_mad_agent(file->agent[i]);
+			ib_dereg_mr(file->mr[i]);
 		}
 	list_for_each_entry_safe(packet, tmp, &file->recv_list, list)
 		kfree(packet);
+	down_write(&file->port->mutex);
 	list_del(&file->port_list);
 	up_write(&file->port->mutex);