[openib-general] NULL ptr derefence

[Roland Dreier]

I think I have this figured out: if you unload ib_ipoib and
ib_sa_query in quick succession, ib_ipoib sends MCMember requests to
the SA to leave its multicast groups.  Normally, because IPoIB sets a
timeout of 0, no callback is generated and so it's fine that IPoIB
passes a NULL callback.  However, if ib_sa_query is unloaded right
afterwards, the send of the request doesn't get a chance to complete
and so a cancel callback is generated.

If this crash is at all reproducible for you, can you try this patch
and see if it helps?

Thanks,
  Roland

--- infiniband/core/sa_query.c	(revision 1781)
+++ infiniband/core/sa_query.c	(working copy)
@@ -587,7 +587,7 @@
 
 	init_mad(query->sa_query.mad, agent);
 
-	query->sa_query.callback              = ib_sa_path_rec_callback;
+	query->sa_query.callback              = callback ? ib_sa_path_rec_callback : NULL;
 	query->sa_query.release               = ib_sa_path_rec_release;
 	query->sa_query.port                  = port;
 	query->sa_query.mad->mad_hdr.method   = IB_MGMT_METHOD_GET;
@@ -663,7 +663,7 @@
 
 	init_mad(query->sa_query.mad, agent);
 
-	query->sa_query.callback              = ib_sa_mcmember_rec_callback;
+	query->sa_query.callback              = callback ? ib_sa_mcmember_rec_callback : NULL;
 	query->sa_query.release               = ib_sa_mcmember_rec_release;
 	query->sa_query.port                  = port;
 	query->sa_query.mad->mad_hdr.method   = method;
@@ -698,20 +698,21 @@
 	if (!query)
 		return;
 
-	switch (mad_send_wc->status) {
-	case IB_WC_SUCCESS:
-		/* No callback -- already got recv */
-		break;
-	case IB_WC_RESP_TIMEOUT_ERR:
-		query->callback(query, -ETIMEDOUT, NULL);
-		break;
-	case IB_WC_WR_FLUSH_ERR:
-		query->callback(query, -EINTR, NULL);
-		break;
-	default:
-		query->callback(query, -EIO, NULL);
-		break;
-	}
+	if (query->callback)
+		switch (mad_send_wc->status) {
+		case IB_WC_SUCCESS:
+			/* No callback -- already got recv */
+			break;
+		case IB_WC_RESP_TIMEOUT_ERR:
+			query->callback(query, -ETIMEDOUT, NULL);
+			break;
+		case IB_WC_WR_FLUSH_ERR:
+			query->callback(query, -EINTR, NULL);
+			break;
+		default:
+			query->callback(query, -EIO, NULL);
+			break;
+		}
 
 	dma_unmap_single(agent->device->dma_device,
 			 pci_unmap_addr(query, mapping),
@@ -736,7 +737,7 @@
 	query = idr_find(&query_idr, mad_recv_wc->wc->wr_id);
 	spin_unlock_irqrestore(&idr_lock, flags);
 
-	if (query) {
+	if (query && query->callback) {
 		if (mad_recv_wc->wc->status == IB_WC_SUCCESS)
 			query->callback(query,
 					mad_recv_wc->recv_buf.mad->mad_hdr.status ?