On Thu, 2018-12-06 at 13:11 +-0200, Yuval Shaia wrote: +AD4 Pool state is set to 'invalid' indirectly by function rxe+AF8-pool+AF8-put which +AD4 is called anyway here so no need to update the state twice. +AD4 +AD4 Signed-off-by: Yuval Shaia +ADw-yuval.shaia+AEA-oracle.com+AD4 +AD4 --- +AD4 drivers/infiniband/sw/rxe/rxe+AF8-pool.c +AHw 1 - +AD4 1 file changed, 1 deletion(-) +AD4 +AD4 diff --git a/drivers/infiniband/sw/rxe/rxe+AF8-pool.c b/drivers/infiniband/sw/rxe/rxe+AF8-pool.c +AD4 index 66728086169b..cfe8051c2683 100644 +AD4 --- a/drivers/infiniband/sw/rxe/rxe+AF8-pool.c +AD4 +-+-+- b/drivers/infiniband/sw/rxe/rxe+AF8-pool.c +AD4 +AEAAQA -248,7 +-248,6 +AEAAQA void rxe+AF8-pool+AF8-cleanup(struct rxe+AF8-pool +ACo-pool) +AD4 unsigned long flags+ADs +AD4 +AD4 write+AF8-lock+AF8-irqsave(+ACY-pool-+AD4-pool+AF8-lock, flags)+ADs +AD4 - pool-+AD4-state +AD0 RXE+AF8-POOL+AF8-STATE+AF8-INVALID+ADs +AD4 if (atomic+AF8-read(+ACY-pool-+AD4-num+AF8-elem) +AD4 0) +AD4 pr+AF8-warn(+ACIAJQ-s pool destroyed with unfree'd elem+AFw-n+ACI, +AD4 pool+AF8-name(pool))+ADs rxe+AF8-pool+AF8-put() only causes the pool state to change after the pool reference count has dropped to zero. So I think the pool state change in rxe+AF8-pool+AF8-cleanup() is helpful to catch use-after-free of a pool. Bart.
