From 4af587d062fbc85a4cc2d33ebea3a9a58fc038e4 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Tue, 15 Sep 2015 23:56:31 +0000
Subject: [PATCH] Ensure that the MAD agent's delayed taskqueue is completely
 stopped before proceeding. Otherwise, nothing prevents it from running after
 the MAD agent struct has been been freed, and this results in a
 use-after-free when the task's ta_pending count is incremented in the callout
 handler.

MFC after:	2 weeks
Sponsored by:	EMC / Isilon Storage Division
---
 sys/ofed/drivers/infiniband/core/mad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/ofed/drivers/infiniband/core/mad.c b/sys/ofed/drivers/infiniband/core/mad.c
index 3eedca1d6b6..a78dd3ac10f 100644
--- a/sys/ofed/drivers/infiniband/core/mad.c
+++ b/sys/ofed/drivers/infiniband/core/mad.c
@@ -1053,7 +1053,7 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv)
 	 */
 	cancel_mads(mad_agent_priv);
 	port_priv = mad_agent_priv->qp_info->port_priv;
-	cancel_delayed_work(&mad_agent_priv->timed_work);
+	cancel_delayed_work_sync(&mad_agent_priv->timed_work);
 
 	spin_lock_irqsave(&port_priv->reg_lock, flags);
 	remove_mad_reg_req(mad_agent_priv);