[Devel] [PATCH VZ9 2/2] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Mon Jun 16 08:54:54 MSK 2025 

From: Jack Morgenstein <jackm at nvidia.com>

The cited commit fixed a crash when cma_netevent_callback was called for
a cma_id while work on that id from a previous call had not yet started.
The work item was re-initialized in the second call, which corrupted the
work item currently in the work queue.

However, it left a problem when queue_work fails (because the item is
still pending in the work queue from a previous call). In this case,
cma_id_put (which is called in the work handler) is therefore not
called. This results in a userspace process hang (zombie process).

Fix this by calling cma_id_put() if queue_work fails.

Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
Signed-off-by: Jack Morgenstein <jackm at nvidia.com>
Signed-off-by: Feng Liu <feliu at nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu at nvidia.com>
Signed-off-by: Leon Romanovsky <leonro at nvidia.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan at oracle.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil at broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>

https://virtuozzo.atlassian.net/browse/ASUP-1636
(cherry picked from commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 drivers/infiniband/core/cma.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 906c03f6eabb..0a2c459ad72c 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -5191,7 +5191,8 @@ static int cma_netevent_callback(struct notifier_block *self,
 			   neigh->ha, ETH_ALEN))
 			continue;
 		cma_id_get(current_id);
-		queue_work(cma_wq, &current_id->id.net_work);
+		if (!queue_work(cma_wq, &current_id->id.net_work))
+			cma_id_put(current_id);
 	}
 out:
 	spin_unlock_irqrestore(&id_table_lock, flags);
-- 
2.49.0

More information about the Devel mailing list