[openib-general] [PATCH] RDMA/iwcm: Bugs in cm_conn_req_handler()

[Krishna Kumar]

cm_conn_req_handler() :
	1. Setting IWCM_F_CALLBACK_DESTROY on cm_id (child
	   handle), which doesn't achieve anything, since
	   checking IWCM_F_CALLBACK_DESTROY in the parent's
	   flag (in cm_work_handler) means that this will
	   never be true.
	2. Calling destroy_cm_id leaks 3 work 'free'
	   list entries.
	3. cm_id is freed up wrongly and not cm_id_priv
	   (though the effect is the same since cm_id is
	   the first element of cm_id_priv, but still a
	   bug if the top level cm_id changes).
	4. Reject message has to be sent on failure. Tested
	   this without the fix and found the client hangs,
	   waited for about 20 mins and then did Ctrl-C but
	   the process is unkillable.

All 4 above cases were tested by injecting error in
iw_conn_req_handler() and they were confirmed. I added the
BUG_ON() to confirm the earlier check for refcount == 0.

Patch against 2.6.19-rc5.

Signed-off-by: Krishna Kumar <krkumar2 at in.ibm.com>
---
diff -ruNp org/drivers/infiniband/core/iwcm.c new/drivers/infiniband/core/iwcm.c
--- org/drivers/infiniband/core/iwcm.c	2006-10-09 16:40:04.000000000 +0530
+++ new/drivers/infiniband/core/iwcm.c	2006-10-09 16:52:03.000000000 +0530
@@ -648,10 +648,9 @@ static void cm_conn_req_handler(struct i
 	/* Call the client CM handler */
 	ret = cm_id->cm_handler(cm_id, iw_event);
 	if (ret) {
-		set_bit(IWCM_F_CALLBACK_DESTROY, &cm_id_priv->flags);
-		destroy_cm_id(cm_id);
-		if (atomic_read(&cm_id_priv->refcount)==0)
-			kfree(cm_id);
+		BUG_ON(atomic_read(&cm_id_priv->refcount) != 1);
+		iw_cm_reject(cm_id, NULL, 0);
+		iw_destroy_cm_id(cm_id);
 	}
 
 	if (iw_event->private_data_len)