<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3243" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT size=2><FONT size=1>
<P><FONT face=Arial><FONT size=2>[MLX4] fixed application crash in case of IOCTL 
failure.<SPAN class=978441918-23112008> [mlnx:3498]</SPAN></FONT></FONT></P>
<P><FONT face=Arial size=2>The crash<SPAN class=978441918-23112008> is 
caus</SPAN>ed by double cleaning of vendor objects: once upon handling IOCTL 
error in post function, second time - when IBAL calls destroy function for 
cleanup.</FONT></P></FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Index: 
core/al/user/ual_cq.c<BR>===================================================================<BR>--- 
core/al/user/ual_cq.c (revision 1765)<BR>+++ 
core/al/user/ual_cq.c (working copy)<BR>@@ -162,19 +162,6 
@@<BR>   h_cq->h_rearm_n_cq = 
h_cq;<BR>  }<BR> <BR>- if( status != IB_SUCCESS 
)<BR>- {<BR>-  CL_ASSERT( !h_cq->h_ci_cq 
);<BR>-  /*<BR>-   * If we failed to create the CQ in the 
kernel, clear the h_ci_cq<BR>-   * pointer to prevent trying to clean 
it up later.  This is needed<BR>-   * to work-around the uVPD 
incorrectly setting the handle in the<BR>-   * post_create_cq call 
even in the case of a failure.<BR>-   */<BR>-  /* TODO: Fix 
the UVP. */<BR>-  h_cq->h_ci_cq = 
NULL;<BR>- }<BR>-<BR>  AL_EXIT( AL_DBG_CQ 
);<BR>  return status;<BR> }<BR>Index: 
hw/mlx4/user/hca/verbs.c<BR>===================================================================<BR>--- 
hw/mlx4/user/hca/verbs.c (revision 1765)<BR>+++ 
hw/mlx4/user/hca/verbs.c (working copy)<BR>@@ -96,6 +96,7 
@@<BR>   if (!mlx4_fill_context(context, 
p_resp))<BR>   {<BR>    status = 
IB_INSUFFICIENT_RESOURCES;<BR>+   *ph_uvp_ca = 
NULL;<BR>    goto 
end;<BR>   }<BR>  }<BR>@@ -115,6 +116,7 
@@<BR>  CL_ASSERT(context);<BR> <BR>  if (IB_SUCCESS == 
ioctl_status)<BR>+  <BR>   mlx4_free_context(context);<BR> <BR>  return 
IB_SUCCESS;<BR>@@ -185,6 +187,7 
@@<BR>  else<BR>  {<BR>   cl_free(to_mpd(pd));<BR>+  *ph_uvp_pd 
= NULL;<BR>  }<BR>  <BR>  cl_free(p_resp);<BR>@@ 
-329,6 +332,7 
@@<BR>  else<BR>  {<BR>   mlx4_post_destroy_cq 
(*ph_uvp_cq, IB_SUCCESS);<BR>+  *ph_uvp_cq = 
NULL;<BR>  }<BR>  <BR>  cl_free(p_resp);<BR>@@ 
-489,6 +493,7 
@@<BR>  else<BR>  {<BR>   mlx4_post_destroy_srq 
(*ph_uvp_srq, IB_SUCCESS);<BR>+  *ph_uvp_srq = 
NULL;<BR>  }<BR> <BR>  cl_free(p_resp);<BR>@@ -813,6 
+818,7 
@@<BR>  else<BR>  {<BR>   mlx4_post_destroy_qp(*ph_uvp_qp, 
IB_SUCCESS);<BR>+  *ph_uvp_qp = 
NULL;<BR>  }<BR> <BR>  cl_free(p_resp);<BR>@@ -1361,6 
+1367,7 
@@<BR>  else<BR>  {<BR>   mlx4_post_destroy_srq 
(*ph_uvp_srq, IB_SUCCESS);<BR>+  *ph_uvp_srq = 
NULL;<BR>  }<BR> <BR>  cl_free( p_resp );<BR>@@ -1442,6 
+1449,7 
@@<BR>  else<BR>  {<BR>   cl_free(to_mxrcd(xrcd));<BR>+  *ph_uvp_xrcd 

NULL;<BR>  }<BR>  <BR>  cl_free(p_resp);<BR>Index: 
hw/mthca/user/mlnx_ual_cq.c<BR>===================================================================<BR>--- 
hw/mthca/user/mlnx_ual_cq.c (revision 1765)<BR>+++ 
hw/mthca/user/mlnx_ual_cq.c (working copy)<BR>@@ -57,8 +57,6 
@@<BR>  struct ibv_create_cq *p_create_cq;<BR>  int 
err;<BR> <BR>- UNREFERENCED_PARAMETER(ph_uvp_cq);<BR>-<BR>  UVP_ENTER(UVP_DBG_CQ);<BR> <BR>  CL_ASSERT(p_umv_buf);<BR>@@ 
-83,6 +81,7 @@<BR>   goto 
err_alloc_cq;<BR>  }<BR> <BR>+ *ph_uvp_cq = 
(ib_cq_handle_t)(ULONG_PTR)p_create_cq->user_handle;<BR>  goto 
end;<BR>   <BR> err_alloc_cq:<BR>@@ -128,11 +127,13 
@@<BR> <BR>   *ph_uvp_cq = 
(ib_cq_handle_t)ibv_cq;<BR>  }<BR>- goto end;<BR>+ else 
{<BR>+  ibv_cq = (struct ibv_cq 
*)*ph_uvp_cq;<BR>+  ibv_cq->context->ops.destroy_cq( ibv_cq 
);<BR>+  *ph_uvp_cq = 
NULL;<BR>+ }<BR> <BR>- p_hobul->ibv_ctx->ops.destroy_cq(ibv_cq);<BR> err_create_cq:<BR>-end: <BR>  if 
(p_resp)<BR>   cl_free( p_resp 
);<BR>  UVP_EXIT(UVP_DBG_CQ);<BR></FONT></DIV></BODY></HTML>