Discovered by Ali Ayoub:
mthca_array_clear does not clear the slot if the used count is
positive. This leads to crashes in mthca_qp_event since that uses
mthca_array_get to check that the qp is valid.
Signed-off-by: Michael S. Tsirkin <[EMAIL PROTECTED]>
diff --git a/drivers/infiniband/hw/mthca/mthca_allocator.c
b/drivers/infiniband/hw/mthca/mthca_allocator.c
index 9ba3211..848e583 100644
--- a/drivers/infiniband/hw/mthca/mthca_allocator.c
+++ b/drivers/infiniband/hw/mthca/mthca_allocator.c
@@ -144,7 +144,9 @@ void mthca_array_clear(struct mthca_arra
if (--array->page_list[p].used == 0) {
free_page((unsigned long) array->page_list[p].page);
array->page_list[p].page = NULL;
- }
+ } else
+ array->page_list[p].page[index & (PAGE_SIZE /
+ sizeof (void *) - 1)] = NULL;
if (array->page_list[p].used < 0)
pr_debug("Array %p index %d page %d with ref count %d < 0\n",
--
MST
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
