> When using connected mode, ipoib_cm_create_tx() kmallocs a > struct ipoib_cm_tx which contains pointers to ipoib_neigh and > ipoib_path. If the paths are flushed or the struct neighbour is > destroyed, the pointers held by struct ipoib_cm_tx can reference > freed memory. The fix is to add reference counts to struct > ipoib_neigh and ipoib_path and to add locking when getting > new references.
Good debugging. First look at this patch is that it ends up being rather invasive. I wonder if we could fix this in the other direction by keeping a list of the ipoib_cm_tx structures affected in the neigh and path structures, and clean the cm_tx stuff up when flushing? Also I don't see any issues from a first read, but can you confirm that you're not adding more locking/atomic ops (via kref) to the main data path? - R. -- Roland Dreier <rola...@cisco.com> For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html