summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYossi Etigin <yosefe@Voltaire.COM>2008-11-12 10:24:39 -0800
committerRoland Dreier <rolandd@cisco.com>2008-11-12 10:24:39 -0800
commitff79ae80837cf45cb703b34824dd3862d2ddcb24 (patch)
tree646c6be0cb96273395f23380080887e223d1fb03
parent93a3ab939ba90e00e193f0bad98f43fbdfbd925d (diff)
downloadkernel-crypto-ff79ae80837cf45cb703b34824dd3862d2ddcb24.tar.gz
kernel-crypto-ff79ae80837cf45cb703b34824dd3862d2ddcb24.tar.xz
kernel-crypto-ff79ae80837cf45cb703b34824dd3862d2ddcb24.zip
IPoIB: Fix crash in path_rec_completion()
Fix a crash in path_rec_completion() during an SM up/down loop. If more than one path record request is issued, the first completion releases path->done, allowing ipoib_flush_paths() to free the path, and thus corrupting it for the second completion. Commit ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM change events") added the field path->valid and changed the test "if (!path)" to "if (!path || !path->valid)". This change made it possible for a path with an outstanding query to pass the test and issue another query on the same path. Having two queries on the same path leads to a crash. This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1325>. Signed-off-by: Yossi Etigin <yosefe@voltaire.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/ulp/ipoib/ipoib_main.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 0b2f601e8ca..85257f6b957 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -664,7 +664,7 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
skb_push(skb, sizeof *phdr);
__skb_queue_tail(&path->queue, skb);
- if (path_rec_start(dev, path)) {
+ if (!path->query && path_rec_start(dev, path)) {
spin_unlock_irqrestore(&priv->lock, flags);
path_free(dev, path);
return;