[ofa-general] [PATCH -stable] prevent memory corruption in device unregister

[Michael S. Tsirkin]

dst_ifdown breaks infiniband by doing dst->neighbour->dev = &loopback_dev
when the device is being unregistered. As the result, ipoib_neigh_destructor
gets called for the loopback device, resulting in memory corruption.

Luckily we know we've already freed all resources before unregistering
the device, so to avoid a crash, it's enough to test the device type
and exit.

Unfortunately module unloading remains racy - it should get fixed in 2.6.21
by a bigger change in net/core/neighbour.c

Signed-off-by: Michael S. Tsirkin <mst at dev.mellanox.co.il>

---

We missed this previously, but sticking
WARN_ON(n->dev->type != ARPHRD_INFINIBAND) inside ipoib_neigh_destructor
shows that this memory corruption is easy to trigger in 2.6.19/2.6.20.

So I suggest sending this patch to -stable for inclusion in these kernels.
Roland, can you Ack this?

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index f9dbc6f..f801917 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -821,6 +821,9 @@ static void ipoib_neigh_destructor(struct neighbour *n)
 	unsigned long flags;
 	struct ipoib_ah *ah = NULL;
 
+        if (n->dev->type != ARPHRD_INFINIBAND)
+                return;
+
 	ipoib_dbg(priv,
 		  "neigh_destructor for %06x " IPOIB_GID_FMT "\n",
 		  IPOIB_QPN(n->ha),
-- 
MST