--- /dev/null
+From: Stefan Roscher <stefan.roscher@de.ibm.com>
+Subject: ehca: fix a possible nullpointer access
+References: bnc#441966
+
+If the initialization of a special QP (e.g. AQP1) fails due to a
+ software timeout, we have to remove the reference to that special
+ QP struct from the port struct preventing the driver to access the
+ QP, since it will be/has been destroyed by the caller, ie in this
+ case ib_mad.
+
+Acked-by: John Jolly <jjolly@novell.com>
+
+Index: linux-2.6.27/drivers/infiniband/hw/ehca/ehca_irq.c
+===================================================================
+--- linux-2.6.27.orig/drivers/infiniband/hw/ehca/ehca_irq.c
++++ linux-2.6.27/drivers/infiniband/hw/ehca/ehca_irq.c
+@@ -359,36 +359,48 @@ static void notify_port_conf_change(stru
+ *old_attr = new_attr;
+ }
+
++/* replay modify_qp for sqps -- return 0 if all is well, 1 if AQP1 destroyed */
++static int replay_modify_qp(struct ehca_sport *sport)
++{
++ int aqp1_destroyed;
++ unsigned long flags;
++
++ spin_lock_irqsave(&sport->mod_sqp_lock, flags);
++
++ aqp1_destroyed = !sport->ibqp_sqp[IB_QPT_GSI];
++
++ if (sport->ibqp_sqp[IB_QPT_SMI])
++ ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_SMI]);
++ if (!aqp1_destroyed)
++ ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_GSI]);
++
++ spin_unlock_irqrestore(&sport->mod_sqp_lock, flags);
++
++ return aqp1_destroyed;
++}
++
+ static void parse_ec(struct ehca_shca *shca, u64 eqe)
+ {
+ u8 ec = EHCA_BMASK_GET(NEQE_EVENT_CODE, eqe);
+ u8 port = EHCA_BMASK_GET(NEQE_PORT_NUMBER, eqe);
+ u8 spec_event;
+ struct ehca_sport *sport = &shca->sport[port - 1];
+- unsigned long flags;
+
+ switch (ec) {
+ case 0x30: /* port availability change */
+ if (EHCA_BMASK_GET(NEQE_PORT_AVAILABILITY, eqe)) {
+- int suppress_event;
+- /* replay modify_qp for sqps */
+- spin_lock_irqsave(&sport->mod_sqp_lock, flags);
+- suppress_event = !sport->ibqp_sqp[IB_QPT_GSI];
+- if (sport->ibqp_sqp[IB_QPT_SMI])
+- ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_SMI]);
+- if (!suppress_event)
+- ehca_recover_sqp(sport->ibqp_sqp[IB_QPT_GSI]);
+- spin_unlock_irqrestore(&sport->mod_sqp_lock, flags);
+-
+- /* AQP1 was destroyed, ignore this event */
+- if (suppress_event)
+- break;
++ /* only replay modify_qp calls in autodetect mode;
++ * if AQP1 was destroyed, the port is already down
++ * again and we can drop the event.
++ */
++ if (ehca_nr_ports < 0)
++ if (replay_modify_qp(sport))
++ break;
+
+ sport->port_state = IB_PORT_ACTIVE;
+ dispatch_port_event(shca, port, IB_EVENT_PORT_ACTIVE,
+ "is active");
+- ehca_query_sma_attr(shca, port,
+- &sport->saved_attr);
++ ehca_query_sma_attr(shca, port, &sport->saved_attr);
+ } else {
+ sport->port_state = IB_PORT_DOWN;
+ dispatch_port_event(shca, port, IB_EVENT_PORT_ERR,
+Index: linux-2.6.27/drivers/infiniband/hw/ehca/ehca_qp.c
+===================================================================
+--- linux-2.6.27.orig/drivers/infiniband/hw/ehca/ehca_qp.c
++++ linux-2.6.27/drivers/infiniband/hw/ehca/ehca_qp.c
+@@ -854,6 +854,11 @@ static struct ehca_qp *internal_create_q
+ if (qp_type == IB_QPT_GSI) {
+ h_ret = ehca_define_sqp(shca, my_qp, init_attr);
+ if (h_ret != H_SUCCESS) {
++ kfree(my_qp->mod_qp_parm);
++ my_qp->mod_qp_parm = NULL;
++ /* the QP pointer is no longer valid */
++ shca->sport[init_attr->port_num - 1].ibqp_sqp[qp_type] =
++ NULL;
+ ret = ehca2ib_return_code(h_ret);
+ goto create_qp_exit6;
+ }
projects / people / teissler / ipfire-2.x.git / blobdiff