[ofa-general] [PATCH] cma: fix access to freed memory

[Sean Hefty]

>rdma_join_multicast() allocates struct cma_multicast and then proceeds to join
>to a multicast address. However, the join operation completes in another
>context and the allocated struct could be released if the user destroys either
>the rdma_id object or decides to leave the multicast group while the join is in
>progress. This patch uses reference counting to to avoid such situation. It
>also protects removal from id_priv->mc_list in cma_leave_mc_groups().

rdma_destroy_id and rdma_leave_multicast call ib_sa_free_multicast.  This call
will block until the join callback completes or is canceled.  Can you describe
the race with cma_ib_mc_handler in more detail?

Also, cma_leave_mc_groups is only called from rdma_destroy_id.  Locking around
the mc->list shouldn't be required, since calls to join/leave aren't allowed.

- Sean