RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work

[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ]

The cited commit fixed a crash when cma_netevent_callback was called for
a cma_id while work on that id from a previous call had not yet started.
The work item was re-initialized in the second call, which corrupted the
work item currently in the work queue.

However, it left a problem when queue_work fails (because the item is
still pending in the work queue from a previous call). In this case,
cma_id_put (which is called in the work handler) is therefore not
called. This results in a userspace process hang (zombie process).

Fix this by calling cma_id_put() if queue_work fails.

Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index bb3c361bd8d4538854d0c4db386ac5705e378a6d..0b2cb31d0f9995768085b4271db5070814b6af5b 100644 (file)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -5190,7 +5190,8 @@ static int cma_netevent_callback(struct notifier_block *self,
                           neigh->ha, ETH_ALEN))
                        continue;
                cma_id_get(current_id);
-               queue_work(cma_wq, &current_id->id.net_work);
+               if (!queue_work(cma_wq, &current_id->id.net_work))
+                       cma_id_put(current_id);
        }
 out:
        spin_unlock_irqrestore(&id_table_lock, flags);