diff options
author | Yossi Etigin <yosefe@Voltaire.COM> | 2008-11-12 13:24:39 -0500 |
---|---|---|
committer | Roland Dreier <rolandd@cisco.com> | 2008-11-12 13:24:39 -0500 |
commit | ff79ae80837cf45cb703b34824dd3862d2ddcb24 (patch) | |
tree | 646c6be0cb96273395f23380080887e223d1fb03 | |
parent | 93a3ab939ba90e00e193f0bad98f43fbdfbd925d (diff) |
IPoIB: Fix crash in path_rec_completion()
Fix a crash in path_rec_completion() during an SM up/down loop. If
more than one path record request is issued, the first completion
releases path->done, allowing ipoib_flush_paths() to free the path,
and thus corrupting it for the second completion.
Commit ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM
change events") added the field path->valid and changed the test "if
(!path)" to "if (!path || !path->valid)". This change made it
possible for a path with an outstanding query to pass the test and
issue another query on the same path. Having two queries on the same
path leads to a crash.
This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1325>.
Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r-- | drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c index 0b2f601e8caf..85257f6b9576 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c | |||
@@ -664,7 +664,7 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev, | |||
664 | skb_push(skb, sizeof *phdr); | 664 | skb_push(skb, sizeof *phdr); |
665 | __skb_queue_tail(&path->queue, skb); | 665 | __skb_queue_tail(&path->queue, skb); |
666 | 666 | ||
667 | if (path_rec_start(dev, path)) { | 667 | if (!path->query && path_rec_start(dev, path)) { |
668 | spin_unlock_irqrestore(&priv->lock, flags); | 668 | spin_unlock_irqrestore(&priv->lock, flags); |
669 | path_free(dev, path); | 669 | path_free(dev, path); |
670 | return; | 670 | return; |