Commit:     b61d92d8ae6aa13b17d1c31e69d123879cec2ee2
Parent:     9af57b7a2702f2cdf6ae499612e90b0f84bcb393
Author:     Sean Hefty <[EMAIL PROTECTED]>
AuthorDate: Fri Nov 30 17:30:18 2007 -0800
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Fri Jan 25 14:15:31 2008 -0800

    IB/mad: Fix incorrect access to items on local_list
    In cancel_mads(), MADs are moved from the wait_list and local_list
    to a cancel_list for processing.  However, the structures on these two
    lists are not the same.  The wait_list references struct
    ib_mad_send_wr_private, but local_list references struct
    ib_mad_local_private.  Cancel_mads() treats all items moved to the
    cancel_list as struct ib_mad_send_wr_private.  This leads to a system
    crash when requests are moved from the local_list to the cancel_list.
    Fix this by leaving local_list alone.  All requests on the local_list
    have completed are just awaiting processing by a queued worker thread.
    Bug (crash) reported by Dotan Barak <[EMAIL PROTECTED]>.
    Problem with local_list access reported by Robert Reynolds
    Signed-off-by: Sean Hefty <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
 drivers/infiniband/core/mad.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 5eace99..fbe16d5 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -2275,8 +2275,6 @@ static void cancel_mads(struct ib_mad_agent_private 
        /* Empty wait list to prevent receives from finding a request */
        list_splice_init(&mad_agent_priv->wait_list, &cancel_list);
-       /* Empty local completion list as well */
-       list_splice_init(&mad_agent_priv->local_list, &cancel_list);
        spin_unlock_irqrestore(&mad_agent_priv->lock, flags);
        /* Report all cancelled requests */
