mthca_cq_clean updated CQ consumer index without moving CQEs
to HW ownership. As a result, the same WRID might get reported twice,
resulting in use-after-free. This was observed in IPoIB CM.
Fix by moving all freed CQEs to HW ownership.
This fixes this bug: https://bugs.openfabrics.org/show_bug.cgi?id=617
Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]>
---
Index: linux-2.6/drivers/infiniband/hw/mthca/mthca_cq.c
===================================================================
--- linux-2.6.orig/drivers/infiniband/hw/mthca/mthca_cq.c 2007-05-14
14:22:58.000000000 +0300
+++ linux-2.6/drivers/infiniband/hw/mthca/mthca_cq.c 2007-05-14
14:42:05.000000000 +0300
@@ -284,7 +284,7 @@ void mthca_cq_clean(struct mthca_dev *de
{
struct mthca_cqe *cqe;
u32 prod_index;
- int nfreed = 0;
+ int i, nfreed = 0;
spin_lock_irq(&cq->lock);
@@ -321,6 +321,8 @@ void mthca_cq_clean(struct mthca_dev *de
}
if (nfreed) {
+ for (i = 0; i < nfreed; ++i)
+ set_cqe_hw(get_cqe(cq, (cq->cons_index + i) &
cq->ibcq.cqe));
wmb();
cq->cons_index += nfreed;
update_cons_index(dev, cq, nfreed);
--
MST
_______________________________________________
general mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
