summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoland Dreier <rolandd@cisco.com>2005-10-30 22:07:03 +0100
committerRoland Dreier <rolandd@cisco.com>2005-10-31 16:10:32 +0100
commite5b251a24a9cd34a7ef98e361eb94e7ab122a554 (patch)
treec29760bafd7107252389712965ad7e4ed0791a82
parent[IB] uverbs: Avoid NULL pointer deref on CQ async event (diff)
downloadlinux-e5b251a24a9cd34a7ef98e361eb94e7ab122a554.tar.xz
linux-e5b251a24a9cd34a7ef98e361eb94e7ab122a554.zip
[IB] mthca: Avoid SRQ free WQE list corruption
Fix wqe_to_link() to use a structure field that we know is definitely always unused for receive work requests, so that it really avoids the free list corruption bug that the comment claims it does. Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/hw/mthca/mthca_srq.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/drivers/infiniband/hw/mthca/mthca_srq.c b/drivers/infiniband/hw/mthca/mthca_srq.c
index 64f70aa1b3c0..292f55be8cbd 100644
--- a/drivers/infiniband/hw/mthca/mthca_srq.c
+++ b/drivers/infiniband/hw/mthca/mthca_srq.c
@@ -75,15 +75,16 @@ static void *get_wqe(struct mthca_srq *srq, int n)
/*
* Return a pointer to the location within a WQE that we're using as a
- * link when the WQE is in the free list. We use an offset of 4
- * because in the Tavor case, posting a WQE may overwrite the first
- * four bytes of the previous WQE. The offset avoids corrupting our
- * free list if the WQE has already completed and been put on the free
- * list when we post the next WQE.
+ * link when the WQE is in the free list. We use the imm field
+ * because in the Tavor case, posting a WQE may overwrite the next
+ * segment of the previous WQE, but a receive WQE will never touch the
+ * imm field. This avoids corrupting our free list if the previous
+ * WQE has already completed and been put on the free list when we
+ * post the next WQE.
*/
static inline int *wqe_to_link(void *wqe)
{
- return (int *) (wqe + 4);
+ return (int *) (wqe + offsetof(struct mthca_next_seg, imm));
}
static void mthca_tavor_init_srq_context(struct mthca_dev *dev,