linux/drivers
Roland Dreier a3285aa4ee IB/mthca: Fix race in reference counting
Fix races in in destroying various objects.  If a destroy routine
waits for an object to become free by doing

	wait_event(&obj->wait, !atomic_read(&obj->refcount));
	/* now clean up and destroy the object */

and another place drops a reference to the object by doing

	if (atomic_dec_and_test(&obj->refcount))
		wake_up(&obj->wait);

then this is susceptible to a race where the wait_event() and final
freeing of the object occur between the atomic_dec_and_test() and the
wake_up().  And this is a use-after-free, since wake_up() will be
called on part of the already-freed object.

Fix this in mthca by replacing the atomic_t refcounts with plain old
integers protected by a spinlock.  This makes it possible to do the
decrement of the reference count and the wake_up() so that it appears
as a single atomic operation to the code waiting on the wait queue.

While touching this code, also simplify mthca_cq_clean(): the CQ being
cleaned cannot go away, because it still has a QP attached to it.  So
there's no reason to be paranoid and look up the CQ by number; it's
perfectly safe to use the pointer that the callers already have.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
2006-05-09 10:50:29 -07:00
..
acorn
acpi [PATCH] x86_64: Support memory hotadd without sparsemem 2006-04-09 11:53:16 -07:00
amba
atm [PATCH] Replace 0xff.. with correct DMA_xBIT_MASK 2006-03-28 09:16:07 -08:00
base [CLASS DEVICE]: add attribute_group creation 2006-05-06 17:55:11 -07:00
block [PATCH] powerpc: Use check_legacy_ioport() on ppc32 too. 2006-04-28 21:04:55 +10:00
bluetooth [PATCH] pcmcia: use bitfield instead of p_state and state 2006-03-31 17:26:33 +02:00
cdrom [PATCH] Overrun in cdrom/aztcd.c 2006-04-11 06:18:46 -07:00
char [PATCH] genrtc: fix read on 64-bit platforms 2006-05-01 18:17:47 -07:00
connector
cpufreq [PATCH] x86_64: Move ondemand timer into own work queue 2006-05-08 09:34:56 -07:00
crypto
dio [PATCH] hp300: fix driver_register() return handling, remove dio_module_init() 2006-03-25 08:22:53 -08:00
edac [PATCH] EDAC Coexistence with BIOS 2006-05-03 20:05:41 -07:00
eisa [PATCH] EISA: Ignore generated file drivers/eisa/devlist.h 2006-03-25 08:23:01 -08:00
fc4
firmware [PATCH] DMI: move dmi_scan.c from arch/i386 to drivers/firmware/ 2006-04-14 11:41:25 -07:00
hwmon [PATCH] w83792d: Be quiet on misdetection 2006-04-14 11:18:33 -07:00
i2c [PATCH] i2c-i801: Fix resume when PEC is used 2006-04-20 07:54:04 -07:00
ide [PATCH] alim15x3: ULI M-1573 south Bridge support 2006-04-19 09:13:53 -07:00
ieee1394 [PATCH] sbp2: fix spinlock recursion 2006-04-02 12:58:09 -07:00
infiniband IB/mthca: Fix race in reference counting 2006-05-09 10:50:29 -07:00
input Merge master.kernel.org:/home/rmk/linux-2.6-arm 2006-05-04 14:52:43 -07:00
isdn [PATCH] isdn4linux: Siemens Gigaset base driver: fix disconnect handling 2006-04-22 09:19:52 -07:00
leds [PATCH] leds: reorganise Kconfig 2006-04-11 06:18:40 -07:00
macintosh [PATCH] powerpc: fix oops in alsa powermac driver 2006-04-21 22:34:26 +10:00
mca
md [PATCH] md: Fix 'rdev->nr_pending' count when retrying barrier requests 2006-05-01 18:17:42 -07:00
media [ALSA] add __devinitdata to all pci_device_id 2006-04-27 21:10:34 +02:00
message [SCSI] mptfusion - fix panic in mptsas_slave_configure 2006-04-14 09:35:12 -05:00
mfd
misc [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
mmc [MMC] Move set_ios debugging into mmc.c 2006-05-04 18:22:51 +01:00
mtd [PATCH] Remove blkmtd 2006-04-11 06:18:43 -07:00
net Merge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2006-05-08 16:01:20 -07:00
nubus
oprofile [PATCH] mark f_ops const in the inode 2006-03-28 09:16:05 -08:00
parisc [PARISC] Document that we tolerate "Relaxed Ordering" 2006-04-21 22:20:33 +00:00
parport [PATCH] parport_pc: fix section mismatch warnings (v2) 2006-04-19 09:13:52 -07:00
pci [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges 2006-04-27 13:00:51 -07:00
pcmcia [PATCH] request_irq(): remove warnings from irq probing 2006-04-28 08:33:46 -07:00
pnp [PATCH] pnp: fix two messages in manager.c 2006-04-19 09:13:52 -07:00
rapidio
rtc [ARM] rtc-sa1100: fix compiler warnings and error cleanup 2006-05-06 11:29:21 +01:00
s390 [PATCH] s390: fix ipd handling 2006-05-01 18:17:46 -07:00
sbus
scsi [SCSI] advansys driver: limp along on x86 2006-04-29 14:27:13 -07:00
serial Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc 2006-05-04 15:09:52 -07:00
sh
sn [PATCH] Altix: correct ioc4 port order 2006-05-03 20:05:41 -07:00
spi
tc
telephony [PATCH] pcmcia: use bitfield instead of p_state and state 2006-03-31 17:26:33 +02:00
usb [PATCH] USB: ftdi_sio: add support for ASK RDR 400 series card reader 2006-04-27 10:28:59 -07:00
video Merge git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild 2006-05-08 09:10:44 -07:00
w1 fix typos "wich" -> "which" 2006-03-24 18:23:14 +01:00
zorro [PATCH] amiga: fix driver_register() return handling, remove zorro_module_init() 2006-03-25 08:22:53 -08:00
Kconfig [IA64] IOC4 config option ordering 2006-04-21 10:59:00 -07:00
Makefile Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband 2006-04-02 12:51:22 -07:00