1. 27 Feb, 2009 3 commits
    • Ralph Campbell's avatar
      IB/mad: initialize mad_agent_priv before putting on lists · d9620a4c
      Ralph Campbell authored
      There is a potential race in ib_register_mad_agent() where the struct
      ib_mad_agent_private is not fully initialized before it is added to
      the list of agents per IB port. This means the ib_mad_agent_private
      could be seen before the refcount, spin locks, and linked lists are
      initialized.  The fix is to initialize the structure earlier.
      Signed-off-by: default avatarRalph Campbell <ralph.campbell@qlogic.com>
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      d9620a4c
    • Ralph Campbell's avatar
      IB/mad: Fix null pointer dereference in local_completions() · 1d9bc6d6
      Ralph Campbell authored
      handle_outgoing_dr_smp() can queue a struct ib_mad_local_private
      *local on the mad_agent_priv->local_work work queue with
      local->mad_priv == NULL if device->process_mad() returns
      IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY and
      (!ib_response_mad(&mad_priv->mad.mad) ||
      !mad_agent_priv->agent.recv_handler).
      
      In this case, local_completions() will be called with local->mad_priv
      == NULL. The code does check for this case and skips calling
      recv_mad_agent->agent.recv_handler() but recv == 0 so
      kmem_cache_free() is called with a NULL pointer.
      
      Also, since recv isn't reinitialized each time through the loop, it
      can cause a memory leak if recv should have been zero.
      Signed-off-by: default avatarRalph Campbell <ralph.campbell@qlogic.com>
      1d9bc6d6
    • Ramachandra K's avatar
      IB/mad: Fix RMPP header RRespTime manipulation · 7020cb0f
      Ramachandra K authored
      Fix ib_set_rmpp_flags() to use the correct bit mask for RRespTime.  In
      the 8-bit field of the RMPP header, the first 5 bits are RRespTime and
      next 3 bits are RMPPFlags. Hence to retain the first 5 bits, the mask
      should be 0xF8 instead of 0xF1.
      
      ack_recv()-->format_ack() calls ib_set_rmpp_flags() and due to the
      incorrect ANDing with 0xF1, RRespTime got changed incorrectly and RMPP
      Acks sent back always had a RRespTime of 0x1E (30) which caused the
      other end to consider the time outs to be approximately 4297 seconds
      (i.e. in the order of 4*2^30) instead of the usual ~4 seconds (order
      of 4*2^20).
      Signed-off-by: default avatarRamachandra K <ramachandra.kuchimanchi@qlogic.com>
      Acked-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      7020cb0f
  2. 17 Jan, 2009 5 commits
  3. 16 Jan, 2009 32 commits