mirror of
https://github.com/torvalds/linux
synced 2024-09-30 00:10:51 +00:00
50a025c69e
NULL pointer dereferences in ib_cm_init_qp_attr() were seen by some
users. From a crash dump, I determined that we died in
cm_init_qp_rts_attr() (it's inlined, so it doesn't show up in the
traceback) on the line labeled below:
static int cm_init_qp_rts_attr(struct cm_id_private *cm_id_priv,
struct ib_qp_attr *qp_attr,
int *qp_attr_mask)
{
........
if (cm_id_priv->id.lap_state == IB_CM_LAP_UNINIT) {
.....
} else {
*qp_attr_mask = IB_QP_ALT_PATH | IB_QP_PATH_MIG_STATE;
qp_attr->alt_port_num = cm_id_priv->alt_av.port->port_num; <-die
The problem is that the rdma_cm can call ib_send_cm_mra() after a
connection has been established. The ib_cm incorrectly assumes that
the MRA is in response to a LAP (load alternate path) message, even
though no LAP message has been received. The ib_cm needs to check the
lap_state before sending an MRA if the cm_id state is established.
Reported-by: Arthur Kepner <akepner@sgi.com>
Reported-by: Josh England <jjengla@gmail.com>
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
|
||
|---|---|---|
| .. | ||
| addr.c | ||
| agent.c | ||
| agent.h | ||
| cache.c | ||
| cm.c | ||
| cm_msgs.h | ||
| cma.c | ||
| core_priv.h | ||
| device.c | ||
| fmr_pool.c | ||
| iwcm.c | ||
| iwcm.h | ||
| mad.c | ||
| mad_priv.h | ||
| mad_rmpp.c | ||
| mad_rmpp.h | ||
| Makefile | ||
| multicast.c | ||
| packer.c | ||
| sa.h | ||
| sa_query.c | ||
| smi.c | ||
| smi.h | ||
| sysfs.c | ||
| ucm.c | ||
| ucma.c | ||
| ud_header.c | ||
| umem.c | ||
| user_mad.c | ||
| uverbs.h | ||
| uverbs_cmd.c | ||
| uverbs_main.c | ||
| uverbs_marshall.c | ||
| verbs.c | ||