RDMA/ucma: Fix locking for ctx->events_reported

This value is locked under the file->mut, ensure it is held whenever
touching it.

The case in ucma_migrate_id() is a race, while in ucma_free_uctx() it is
already not possible for the write side to run, the movement is just for
clarity.

Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()")
Link: https://lore.kernel.org/r/20200818120526.702120-10-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index f7ec712..ca5c44c 100644 (file)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -587,6 +587,7 @@ static int ucma_free_ctx(struct ucma_context *ctx)
                        list_move_tail(&uevent->list, &list);
        }
        list_del(&ctx->list);
+       events_reported = ctx->events_reported;
        mutex_unlock(&ctx->file->mut);
 
        list_for_each_entry_safe(uevent, tmp, &list, list) {
@@ -596,7 +597,6 @@ static int ucma_free_ctx(struct ucma_context *ctx)
                kfree(uevent);
        }
 
-       events_reported = ctx->events_reported;
        mutex_destroy(&ctx->mutex);
        kfree(ctx);
        return events_reported;
@@ -1697,7 +1697,9 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file,
        rdma_lock_handler(ctx->cm_id);
        cur_file = ctx->file;
        if (cur_file == new_file) {
+               mutex_lock(&cur_file->mut);
                resp.events_reported = ctx->events_reported;
+               mutex_unlock(&cur_file->mut);
                goto response;
        }