aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorShlomo Pongratz <shlomop@mellanox.com>2012-08-13 10:39:49 -0400
committerRoland Dreier <roland@purestorage.com>2012-08-14 18:21:44 -0400
commitfa16ebed31f336e41970f3f0ea9e8279f6be2d27 (patch)
tree73d9e6edccbb22680fd0a11e42aa13ff5df7c4f7 /drivers
parent0d7614f09c1ebdbaa1599a5aba7593f147bf96ee (diff)
IB/ipoib: Add missing locking when CM object is deleted
Commit b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path") introduced a bug where in ipoib_cm_destroy_tx() a CM object is moved between lists without any supported locking. Under a stress test, this eventually leads to list corruption and a crash. Previously when this routine was called, callers were taking the device priv lock. Currently this function is called from the RCU callback associated with neighbour deletion. Fix the race by taking the same lock we used to before. Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/ulp/ipoib/ipoib_cm.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
index 95ecf4eadf5f..24683fda8e21 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1271,12 +1271,15 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(struct net_device *dev, struct ipoib_path
1271void ipoib_cm_destroy_tx(struct ipoib_cm_tx *tx) 1271void ipoib_cm_destroy_tx(struct ipoib_cm_tx *tx)
1272{ 1272{
1273 struct ipoib_dev_priv *priv = netdev_priv(tx->dev); 1273 struct ipoib_dev_priv *priv = netdev_priv(tx->dev);
1274 unsigned long flags;
1274 if (test_and_clear_bit(IPOIB_FLAG_INITIALIZED, &tx->flags)) { 1275 if (test_and_clear_bit(IPOIB_FLAG_INITIALIZED, &tx->flags)) {
1276 spin_lock_irqsave(&priv->lock, flags);
1275 list_move(&tx->list, &priv->cm.reap_list); 1277 list_move(&tx->list, &priv->cm.reap_list);
1276 queue_work(ipoib_workqueue, &priv->cm.reap_task); 1278 queue_work(ipoib_workqueue, &priv->cm.reap_task);
1277 ipoib_dbg(priv, "Reap connection for gid %pI6\n", 1279 ipoib_dbg(priv, "Reap connection for gid %pI6\n",
1278 tx->neigh->daddr + 4); 1280 tx->neigh->daddr + 4);
1279 tx->neigh = NULL; 1281 tx->neigh = NULL;
1282 spin_unlock_irqrestore(&priv->lock, flags);
1280 } 1283 }
1281} 1284}
1282 1285