+++ /dev/null
-From: Stefan Roscher <stefan.roscher@de.ibm.com>
-Subject: ehca: fix a possible nullpointer access
-References: bnc#441966
-
-If the initialization of a special QP (e.g. AQP1) fails due to a
- software timeout, we have to remove the reference to that special
- QP struct from the port struct preventing the driver to access the
- QP, since it will be/has been destroyed by the caller, ie in this
- case ib_mad.
-
-Acked-by: John Jolly <jjolly@novell.com>
-
-Index: linux-2.6.27/drivers/infiniband/hw/ehca/ehca_irq.c
-===================================================================
---- linux-2.6.27.orig/drivers/infiniband/hw/ehca/ehca_irq.c
-+++ linux-2.6.27/drivers/infiniband/hw/ehca/ehca_irq.c
-@@ -359,36 +359,48 @@ static void notify_port_conf_change(stru
- *old_attr = new_attr;
- }
-
-+/* replay modify_qp for sqps -- return 0 if all is well, 1 if AQP1 destroyed */
-+static int replay_modify_qp(struct ehca_sport *sport)
-+{
-+ int aqp1_destroyed;
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&sport->mod_sqp_lock, flags);
-+
-+ aqp1_destroyed = !sport->ibqp_sqp[IB_QPT_GSI];
-+
-+ if (sport->ibqp_sqp[IB_QPT_SMI])
-+ ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_SMI]);
-+ if (!aqp1_destroyed)
-+ ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_GSI]);
-+
-+ spin_unlock_irqrestore(&sport->mod_sqp_lock, flags);
-+
-+ return aqp1_destroyed;
-+}
-+
- static void parse_ec(struct ehca_shca *shca, u64 eqe)
- {
- u8 ec = EHCA_BMASK_GET(NEQE_EVENT_CODE, eqe);
- u8 port = EHCA_BMASK_GET(NEQE_PORT_NUMBER, eqe);
- u8 spec_event;
- struct ehca_sport *sport = &shca->sport[port - 1];
-- unsigned long flags;
-
- switch (ec) {
- case 0x30: /* port availability change */
- if (EHCA_BMASK_GET(NEQE_PORT_AVAILABILITY, eqe)) {
-- int suppress_event;
-- /* replay modify_qp for sqps */
-- spin_lock_irqsave(&sport->mod_sqp_lock, flags);
-- suppress_event = !sport->ibqp_sqp[IB_QPT_GSI];
-- if (sport->ibqp_sqp[IB_QPT_SMI])
-- ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_SMI]);
-- if (!suppress_event)
-- ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_GSI]);
-- spin_unlock_irqrestore(&sport->mod_sqp_lock, flags);
--
-- /* AQP1 was destroyed, ignore this event */
-- if (suppress_event)
-- break;
-+ /* only replay modify_qp calls in autodetect mode;
-+ * if AQP1 was destroyed, the port is already down
-+ * again and we can drop the event.
-+ */
-+ if (ehca_nr_ports < 0)
-+ if (replay_modify_qp(sport))
-+ break;
-
- sport->port_state = IB_PORT_ACTIVE;
- dispatch_port_event(shca, port, IB_EVENT_PORT_ACTIVE,
- "is active");
-- ehca_query_sma_attr(shca, port,
-- &sport->saved_attr);
-+ ehca_query_sma_attr(shca, port, &sport->saved_attr);
- } else {
- sport->port_state = IB_PORT_DOWN;
- dispatch_port_event(shca, port, IB_EVENT_PORT_ERR,
-Index: linux-2.6.27/drivers/infiniband/hw/ehca/ehca_qp.c
-===================================================================
---- linux-2.6.27.orig/drivers/infiniband/hw/ehca/ehca_qp.c
-+++ linux-2.6.27/drivers/infiniband/hw/ehca/ehca_qp.c
-@@ -854,6 +854,11 @@ static struct ehca_qp *internal_create_q
- if (qp_type == IB_QPT_GSI) {
- h_ret = ehca_define_sqp(shca, my_qp, init_attr);
- if (h_ret != H_SUCCESS) {
-+ kfree(my_qp->mod_qp_parm);
-+ my_qp->mod_qp_parm = NULL;
-+ /* the QP pointer is no longer valid */
-+ shca->sport[init_attr->port_num - 1].ibqp_sqp[qp_type] =
-+ NULL;
- ret = ehca2ib_return_code(h_ret);
- goto create_qp_exit6;
- }
projects / people / teissler / ipfire-2.x.git / blobdiff