IB/qib: Fix race between qib_error_qp() and receive packet processing
When transitioning a QP to the error state, in progress RWQEs need to be marked complete. This also involves releasing the reference count to the memory regions referenced in the SGEs. The locking in the receive packet processing wasn't sufficient to prevent qib_error_qp() from modifying the r_sge state at the same time, thus leading to kernel panics. Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
This commit is contained in:
Ralph Campbell
@@ -272,9 +272,6 @@ void qib_uc_rcv(struct qib_ibport *ibp, struct qib_ib_header *hdr,
|
||||
opcode >>= 24;
|
||||
memset(&wc, 0, sizeof wc);
|
||||
|
||||
/* Prevent simultaneous processing after APM on different CPUs */
|
||||
spin_lock(&qp->r_lock);
|
||||
|
||||
/* Compare the PSN verses the expected PSN. */
|
||||
if (unlikely(qib_cmp24(psn, qp->r_psn) != 0)) {
|
||||
/*
|
||||
@@ -534,7 +531,6 @@ rdma_last:
|
||||
}
|
||||
qp->r_psn++;
|
||||
qp->r_state = opcode;
|
||||
spin_unlock(&qp->r_lock);
|
||||
return;
|
||||
|
||||
rewind:
|
||||
@@ -542,12 +538,10 @@ rewind:
|
||||
qp->r_sge.num_sge = 0;
|
||||
drop:
|
||||
ibp->n_pkt_drops++;
|
||||
spin_unlock(&qp->r_lock);
|
||||
return;
|
||||
|
||||
op_err:
|
||||
qib_rc_error(qp, IB_WC_LOC_QP_OP_ERR);
|
||||
spin_unlock(&qp->r_lock);
|
||||
return;
|
||||
|
||||
sunlock:
|
||||
|
||||
Reference in New Issue
Block a user