diff options
| author | Jack Morgenstein <jackm@dev.mellanox.co.il> | 2009-02-17 17:51:47 -0500 |
|---|---|---|
| committer | Roland Dreier <rolandd@cisco.com> | 2009-02-17 17:51:47 -0500 |
| commit | 71d98b4628ee869d62814f6d8607d76cab4b9ec5 (patch) | |
| tree | 10b4d085aaf23020c052d5e340330d757730d138 /drivers/infiniband | |
| parent | f3b8436ad9a8ad36b3c9fa1fe030c7f38e5d3d0b (diff) | |
IPoIB: In unicast_arp_send(), only free newly-created paths
If path_rec_start() returns error, call path_free() only if the path
was newly-created. If we free an existing path whose valid flag was zero,
(but do not detach it from the list) we cause corruption of the
path list (of which it is a member), and get a kernel crash.
The simplest solution is to not free an existing path -- just leave it
in the list as-is (i.e., with its valid flag cleared).
Thanks to Yossi Etigin of Voltaire for identifying the problem flow
which caused the kernel crash.
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Moni Shua <monis@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband')
| -rw-r--r-- | drivers/infiniband/ulp/ipoib/ipoib_main.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c index 0bd2a4ff0842..353c13b91e8f 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c | |||
| @@ -660,8 +660,12 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev, | |||
| 660 | 660 | ||
| 661 | path = __path_find(dev, phdr->hwaddr + 4); | 661 | path = __path_find(dev, phdr->hwaddr + 4); |
| 662 | if (!path || !path->valid) { | 662 | if (!path || !path->valid) { |
| 663 | if (!path) | 663 | int new_path = 0; |
| 664 | |||
| 665 | if (!path) { | ||
| 664 | path = path_rec_create(dev, phdr->hwaddr + 4); | 666 | path = path_rec_create(dev, phdr->hwaddr + 4); |
| 667 | new_path = 1; | ||
| 668 | } | ||
| 665 | if (path) { | 669 | if (path) { |
| 666 | /* put pseudoheader back on for next time */ | 670 | /* put pseudoheader back on for next time */ |
| 667 | skb_push(skb, sizeof *phdr); | 671 | skb_push(skb, sizeof *phdr); |
| @@ -669,7 +673,8 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev, | |||
| 669 | 673 | ||
| 670 | if (!path->query && path_rec_start(dev, path)) { | 674 | if (!path->query && path_rec_start(dev, path)) { |
| 671 | spin_unlock_irqrestore(&priv->lock, flags); | 675 | spin_unlock_irqrestore(&priv->lock, flags); |
| 672 | path_free(dev, path); | 676 | if (new_path) |
| 677 | path_free(dev, path); | ||
| 673 | return; | 678 | return; |
| 674 | } else | 679 | } else |
| 675 | __path_add(dev, path); | 680 | __path_add(dev, path); |