Commit bd18c112 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Roland Dreier

IB/mthca: Set cleaned CQEs back to HW ownership when cleaning CQ

mthca_cq_clean() updates the CQ consumer index without moving CQEs
back to HW ownership.  As a result, the same WRID might get reported
twice, resulting in a use-after-free.  This was observed in IPoIB CM.
Fix by moving all freed CQEs to HW ownership.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=617>
Signed-off-by: default avatarMichael S. Tsirkin <mst@dev.mellanox.co.il>
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent 3e28c56b
...@@ -284,7 +284,7 @@ void mthca_cq_clean(struct mthca_dev *dev, struct mthca_cq *cq, u32 qpn, ...@@ -284,7 +284,7 @@ void mthca_cq_clean(struct mthca_dev *dev, struct mthca_cq *cq, u32 qpn,
{ {
struct mthca_cqe *cqe; struct mthca_cqe *cqe;
u32 prod_index; u32 prod_index;
int nfreed = 0; int i, nfreed = 0;
spin_lock_irq(&cq->lock); spin_lock_irq(&cq->lock);
...@@ -321,6 +321,8 @@ void mthca_cq_clean(struct mthca_dev *dev, struct mthca_cq *cq, u32 qpn, ...@@ -321,6 +321,8 @@ void mthca_cq_clean(struct mthca_dev *dev, struct mthca_cq *cq, u32 qpn,
} }
if (nfreed) { if (nfreed) {
for (i = 0; i < nfreed; ++i)
set_cqe_hw(get_cqe(cq, (cq->cons_index + i) & cq->ibcq.cqe));
wmb(); wmb();
cq->cons_index += nfreed; cq->cons_index += nfreed;
update_cons_index(dev, cq, nfreed); update_cons_index(dev, cq, nfreed);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment