From: Jason Gunthorpe <jgg@nvidia.com>
Date: Tue, 18 Aug 2020 12:05:13 +0000 (+0300)
Subject: RDMA/ucma: Fix refcount 0 incr in ucma_get_ctx()
X-Git-Tag: v5.15~2640^2~159
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ca2968c1efcbeb547906cf6211874ec881beafec;p=platform%2Fkernel%2Flinux-starfive.git

RDMA/ucma: Fix refcount 0 incr in ucma_get_ctx()

Both ucma_destroy_id() and ucma_close_id() (triggered from an event via a
wq) can drive the refcount to zero. ucma_get_ctx() was wrongly assuming
that the refcount can only go to zero from ucma_destroy_id() which also
removes it from the xarray.

Use refcount_inc_not_zero() instead.

Link: https://lore.kernel.org/r/20200818120526.702120-2-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index d03daca..6251685 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -153,8 +153,8 @@ static struct ucma_context *ucma_get_ctx(struct ucma_file *file, int id)
 	if (!IS_ERR(ctx)) {
 		if (ctx->closing)
 			ctx = ERR_PTR(-EIO);
-		else
-			refcount_inc(&ctx->ref);
+		else if (!refcount_inc_not_zero(&ctx->ref))
+			ctx = ERR_PTR(-ENXIO);
 	}
 	xa_unlock(&ctx_table);
 	return ctx;