[kernel] r8313 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series

[maximilian attems]

Author: maks-guest
Date: Mon Feb 19 17:33:25 2007
New Revision: 8313

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/ib-mad-fix-race-between-cancel-and-receive-completion.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/11
Log:
add an ib patch out of 2.6.18 stable queue


Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Mon Feb 19 17:33:25 2007
@@ -17,8 +17,10 @@
   * Fix incomplete ipv6 multicast patch from 2.6.16.38. (closes: #410375)
   * UML compile 2.6.16.38 fix forward port completed.
   * Forward port complete IPX checksum patch 2.6.16.34
+  * From the 2.6.18 stable queue:
+    - IB/mad: Fix race between cancel and receive completion
 
- -- maximilian attems <maks at sternwelten.at>  Fri, 16 Feb 2007 12:42:30 +0100
+ -- maximilian attems <maks at sternwelten.at>  Mon, 19 Feb 2007 17:31:22 +0100
 
 linux-2.6 (2.6.18.dfsg.1-10) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/ib-mad-fix-race-between-cancel-and-receive-completion.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/ib-mad-fix-race-between-cancel-and-receive-completion.patch	Mon Feb 19 17:33:25 2007
@@ -0,0 +1,45 @@
+From stable-bounces at linux.kernel.org  Thu Jan 11 11:51:30 2007
+To: stable at kernel.org
+From: Roland Dreier <rdreier at cisco.com>
+Date: Thu, 11 Jan 2007 11:42:49 -0800
+Message-ID: <ada4pqxjqo6.fsf at cisco.com>
+Cc: mst at mellanox.co.il, openib-general at openib.org
+Subject: IB/mad: Fix race between cancel and receive completion
+
+When ib_cancel_mad() is called, it puts the canceled send on a list
+and schedules a "flushed" callback from process context.  However,
+this leaves a window where a receive completion could be processed
+before the send is fully flushed.
+
+This is fine, except that ib_find_send_mad() will find the MAD and
+return it to the receive processing, which results in the sender
+getting both a successful receive and a "flushed" send completion for
+the same request.  Understandably, this confuses the sender, which is
+expecting only one of these two callbacks, and leads to grief such as
+a use-after-free in IPoIB.
+
+Fix this by changing ib_find_send_mad() to return a send struct only
+if the status is still successful (and not "flushed").  The search of
+the send_list already had this check, so this patch just adds the same
+check to the search of the wait_list.
+
+Signed-off-by: Roland Dreier <rolandd at cisco.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+---
+This fixes a crash seen in production when switching between IPoIB
+interfaces in a HA setup.
+
+ drivers/infiniband/core/mad.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.18.6.orig/drivers/infiniband/core/mad.c
++++ linux-2.6.18.6/drivers/infiniband/core/mad.c
+@@ -1750,7 +1750,7 @@ ib_find_send_mad(struct ib_mad_agent_pri
+ 		     */
+ 		    (is_direct(wc->recv_buf.mad->mad_hdr.mgmt_class) ||
+ 		     rcv_has_same_gid(mad_agent_priv, wr, wc)))
+-			return wr;
++			return (wr->status == IB_WC_SUCCESS) ? wr : NULL;
+ 	}
+ 
+ 	/*

Modified: dists/sid/linux-2.6/debian/patches/series/11
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/11	(original)
+++ dists/sid/linux-2.6/debian/patches/series/11	Mon Feb 19 17:33:25 2007
@@ -3,3 +3,4 @@
 + bugfix/net-ipv6-mcast.patch
 + bugfix/uml-compilation.patch
 + bugfix/net-ipx-annotation-checksum.patch
++ bugfix/ib-mad-fix-race-between-cancel-and-receive-completion.patch