Sean> the only bug I saw was accessing packet->length after
Sean> calling ib_post_send_mad(). The send_handler() will free
Sean> the packet, so there's a race there.
Good catch. Seems like the below patch is the right fix:
we start out with
length = count - sizeof (struct ib_user_mad);
and then do
packet->length = length;
so in
return sizeof (struct ib_user_mad_hdr) + packet->length;
we're really just returning count -- in ib_user_mad.h, the definition
of struct ib_user_mad is:
struct ib_user_mad {
struct ib_user_mad_hdr hdr;
__u8 data[0];
};
so sizeof struct ib_user_mad == struct ib_user_mad_hdr.
Hal, am I missing something? Was there any reason to write the return
statement like that, or is it OK to just return count directly?
- R.
--- infiniband/core/user_mad.c (revision 3867)
+++ infiniband/core/user_mad.c (working copy)
@@ -414,7 +414,7 @@ static ssize_t ib_umad_write(struct file
up_read(&file->agent_mutex);
- return sizeof (struct ib_user_mad_hdr) + packet->length;
+ return count;
err_msg:
ib_free_send_mad(packet->msg);
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
