From a30bb96c6f5aca6513e4dbd94962da03d14b20a9 Mon Sep 17 00:00:00 2001
From: Eli Cohen <eli@mellanox.co.il>
Date: Wed, 5 Apr 2006 15:59:34 +0300
Subject: IPoIB: Close race in ipoib_flush_paths()

ib_sa_cancel_query() must be called with priv->lock held since
a completion might arrive and set path->query to NULL.

Signed-off-by: Eli Cohen <eli@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 5bf7e26..996c6e1 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -346,14 +346,15 @@ void ipoib_flush_paths(struct net_device *dev)
 	list_for_each_entry(path, &remove_list, list)
 		rb_erase(&path->rb_node, &priv->path_tree);
 
-	spin_unlock_irqrestore(&priv->lock, flags);
-
 	list_for_each_entry_safe(path, tp, &remove_list, list) {
 		if (path->query)
 			ib_sa_cancel_query(path->query_id, path->query);
+		spin_unlock_irqrestore(&priv->lock, flags);
 		wait_for_completion(&path->done);
 		path_free(dev, path);
+		spin_lock_irqsave(&priv->lock, flags);
 	}
+	spin_unlock_irqrestore(&priv->lock, flags);
 }
 
 static void path_rec_completion(int status,
-- 
cgit v0.10.2