On Thu, Apr 16, 2020 at 03:33:28PM +0200, Håkon Bugge wrote: > > I think the trick is that ucma_event_handler never returns failure > > unless RDMA_CM_EVENT_CONNECT_REQUEST, which means the cm_id isn't in > > the xarray yet? > > Sure does. 1 or -ENOMEM. But the ULP's event handlers isn't that > polite. But a different issue from this syzkaller one. Seems like a crazy and difficult API to me.. > >> I assume the refcounting takes care of this. > > > > There is no refcounting for destroy, it must be called once. > > I was thinking about the "cma_deref_id(id_priv);" stuff, but I may have misunderstood. This just causes destroy_id to pause while a ref is held, there can still be only one call to destroy_id Jason
