1. 26 1月, 2008 10 次提交
  2. 25 1月, 2008 2 次提交
  3. 31 10月, 2007 1 次提交
  4. 24 10月, 2007 1 次提交
  5. 23 10月, 2007 1 次提交
  6. 20 10月, 2007 1 次提交
    • R
      IB/uverbs: Fix checking of userspace object ownership · cbfb50e6
      Roland Dreier 提交于
          
      Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
      rewrote how userspace objects are looked up in the uverbs module's
      idrs, and introduced a severe bug in the process: there is no checking
      that an operation is being performed by the right process any more.
      Fix this by adding the missing check of uobj->context in __idr_get_uobj().
      
      Apparently everyone is being very careful to only touch their own
      objects, because this bug was introduced in June 2006 in 2.6.18, and
      has gone undetected until now.
      
      Cc: stable <stable@kernel.org>
      Signed-off-by: NRoland Dreier <rolandd@cisco.com>
      cbfb50e6
  7. 19 10月, 2007 1 次提交
  8. 17 10月, 2007 2 次提交
    • S
      RDMA/cma: Fix deadlock destroying listen requests · d02d1f53
      Sean Hefty 提交于
      Deadlock condition reported by Kanoj Sarcar <kanoj@netxen.com>.
      The deadlock occurs when a connection request arrives at the same
      time that a wildcard listen is being destroyed.
      
      A wildcard listen maintains per device listen requests for each
      RDMA device in the system.  The per device listens are automatically
      added and removed when RDMA devices are inserted or removed from
      the system.
      
      When a wildcard listen is destroyed, rdma_destroy_id() acquires
      the rdma_cm's device mutex ('lock') to protect against hot-plug
      events adding or removing per device listens.  It then tries to
      destroy the per device listens by calling ib_destroy_cm_id() or
      iw_destroy_cm_id().  It does this while holding the device mutex.
      
      However, if the underlying iw/ib CM reports a connection request
      while this is occurring, the rdma_cm callback function will try
      to acquire the same device mutex.  Since we're in a callback,
      the ib_destroy_cm_id() or iw_destroy_cm_id() calls will block until
      their callback thread returns, but the callback is blocked waiting for
      the device mutex.
      
      Fix this by re-working how per device listens are destroyed.  Use
      rdma_destroy_id(), which avoids the deadlock, in place of
      cma_destroy_listen().  Additional synchronization is added to handle
      device hot-plug events and ensure that the id is not destroyed twice.
      Signed-off-by: NSean Hefty <sean.hefty@intel.com>
      Signed-off-by: NRoland Dreier <rolandd@cisco.com>
      d02d1f53
    • S
      RDMA/cma: Add locking around QP accesses · c5483388
      Sean Hefty 提交于
      If a user allocates a QP on an rdma_cm_id, the rdma_cm will automatically
      transition the QP through its states (RTR, RTS, error, etc.)  While the
      QP state transitions are occurring, the QP itself must remain valid.
      Provide locking around the QP pointer to prevent its destruction while
      accessing the pointer.
      
      This fixes an issue reported by Olaf Kirch from Oracle that resulted in
      a system crash:
      
      "An incoming connection arrives and we decide to tear down the nascent
       connection.  The remote ends decides to do the same.  We start to shut
       down the connection, and call rdma_destroy_qp on our cm_id. ... Now
       apparently a 'connect reject' message comes in from the other host,
       and cma_ib_handler() is called with an event of IB_CM_REJ_RECEIVED.
       It calls cma_modify_qp_err, which for some odd reason tries to modify
       the exact same QP we just destroyed."
      Signed-off-by: NSean Hefty <sean.hefty@intel.com>
      Signed-off-by: NRoland Dreier <rolandd@cisco.com>
      c5483388
  9. 13 10月, 2007 1 次提交
    • K
      Driver core: change add_uevent_var to use a struct · 7eff2e7a
      Kay Sievers 提交于
      This changes the uevent buffer functions to use a struct instead of a
      long list of parameters. It does no longer require the caller to do the
      proper buffer termination and size accounting, which is currently wrong
      in some places. It fixes a known bug where parts of the uevent
      environment are overwritten because of wrong index calculations.
      
      Many thanks to Mathieu Desnoyers for finding bugs and improving the
      error handling.
      Signed-off-by: NKay Sievers <kay.sievers@vrfy.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
      Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      
      7eff2e7a
  10. 11 10月, 2007 1 次提交
  11. 10 10月, 2007 14 次提交
  12. 04 8月, 2007 5 次提交