Ensure that the MAD agent's delayed taskqueue is completely stopped

before proceeding. Otherwise, nothing prevents it from running after the MAD agent struct has been been freed, and this results in a use-after-free when the task's ta_pending count is incremented in the callout handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
author: markj <markj@FreeBSD.org> 2015-09-15 23:56:31 +0000
committer: markj <markj@FreeBSD.org> 2015-09-15 23:56:31 +0000
commit: 20a60726620cd0f57ec053a894faa2a82d9d2141 (patch)
tree: e526d9cebec1f09e09b9e34c3f3ca9cb8526235e /sys/ofed
parent: 6d88400de764fa2a7fad6a17904ad7dbdefc205e (diff)
download: FreeBSD-src-20a60726620cd0f57ec053a894faa2a82d9d2141.zip
FreeBSD-src-20a60726620cd0f57ec053a894faa2a82d9d2141.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/ofed/drivers/infiniband/core/mad.c b/sys/ofed/drivers/infiniband/core/mad.c
index 3eedca1..a78dd3a 100644
--- a/sys/ofed/drivers/infiniband/core/mad.c
+++ b/sys/ofed/drivers/infiniband/core/mad.c
@@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv)
 	 */
 	cancel_mads(mad_agent_priv);
 	port_priv = mad_agent_priv->qp_info->port_priv;
-	cancel_delayed_work(&mad_agent_priv->timed_work);
+	cancel_delayed_work_sync(&mad_agent_priv->timed_work);
 
 	spin_lock_irqsave(&port_priv->reg_lock, flags);
 	remove_mad_reg_req(mad_agent_priv);
author	markj <markj@FreeBSD.org>	2015-09-15 23:56:31 +0000
committer	markj <markj@FreeBSD.org>	2015-09-15 23:56:31 +0000
commit	20a60726620cd0f57ec053a894faa2a82d9d2141 (patch)
tree	e526d9cebec1f09e09b9e34c3f3ca9cb8526235e /sys/ofed
parent	6d88400de764fa2a7fad6a17904ad7dbdefc205e (diff)
download	FreeBSD-src-20a60726620cd0f57ec053a894faa2a82d9d2141.zip FreeBSD-src-20a60726620cd0f57ec053a894faa2a82d9d2141.tar.gz