RDMA/ucma: Fix refcount 0 incr in ucma_get_ctx()

Both ucma_destroy_id() and ucma_close_id() (triggered from an event via a
wq) can drive the refcount to zero. ucma_get_ctx() was wrongly assuming
that the refcount can only go to zero from ucma_destroy_id() which also
removes it from the xarray.

Use refcount_inc_not_zero() instead.

Link: https://lore.kernel.org/r/20200818120526.702120-2-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index d03daca..6251685 100644 (file)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -153,8 +153,8 @@ static struct ucma_context *ucma_get_ctx(struct ucma_file *file, int id)
        if (!IS_ERR(ctx)) {
                if (ctx->closing)
                        ctx = ERR_PTR(-EIO);
-               else
-                       refcount_inc(&ctx->ref);
+               else if (!refcount_inc_not_zero(&ctx->ref))
+                       ctx = ERR_PTR(-ENXIO);
        }
        xa_unlock(&ctx_table);
        return ctx;