[ofa-general] [PATCH] ipoib: fix crash in path_rec_completion
Yossi Etigin
yosefe at Voltaire.COM
Fri Oct 31 06:01:58 PDT 2008
Fix a crash in path_rec_completion() during sm up/down loop.
If more than one path record request is issued, the first completion
releases path->done, allowing ipoib_flush_paths() to free the path,
and thus corrupting it for the second completion.
Signed-off-by: Yossi Etigin <yosefe at voltaire.com>
--
Fixes bugzilla 1325.
The flush levels patch added the field 'path->valid' and changed the
test 'if (!path)' to 'if (!path || !path->valid)'. This change made it
possible for a path with an outstanding query to pass the test and issue
another query on the same path. Having two queries on the same path leads
to a crash.
Index: b/drivers/infiniband/ulp/ipoib/ipoib_main.c
===================================================================
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c 2008-10-31 14:13:28.000000000 +0200
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c 2008-10-31 14:15:03.000000000 +0200
@@ -639,7 +639,7 @@ static void unicast_arp_send(struct sk_b
skb_push(skb, sizeof *phdr);
__skb_queue_tail(&path->queue, skb);
- if (path_rec_start(dev, path)) {
+ if (!path->query && path_rec_start(dev, path)) {
spin_unlock_irqrestore(&priv->lock, flags);
path_free(dev, path);
return;
--
--Yossi
More information about the general
mailing list