On 08/06/2015 01:33 PM, Hefty, Sean wrote:
>> Something like this:
>>
>> CPU A                         CPU B
>> ========================      ================================
>> ucma_destroy_id()
>>  wait_for_completion()
>>                               .. anything
>>                                 ucma_put_ctx()
>>                                   complete()
>>  .. continues ...
>>                               ucma_leave_multicast()
>>                                mutex_lock(mut)
>>                                  atomic_inc(ctx->ref)
>>                                mutex_unlock(mut)
>>  ucma_free_ctx()
>>   ucma_cleanup_multicast()
>>    mutex_lock(mut)
>>      kfree(mc)
>>                                rdma_leave_multicast(mc->ctx->cm_id,..
>>
>> Fix it by latching the ref at 0. Once it goes to 0 mc and ctx cannot
>> leave the mutex(mut) protection.
>>
>> The other atomic_inc in ucma_get_ctx is OK because mutex(mut) protects
>> it from racing with ucma_destroy_id.
>>
>> Signed-off-by: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
> 
> Acked-by: Sean Hefty <sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>

This has been picked up.  Thanks.


-- 
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
              GPG KeyID: 0E572FDD