git.baikalelectronics.ru Git - kernel.git/commit

author	Julian Wiedmann <jwi@linux.ibm.com>
	Fri, 29 Jun 2018 17:45:53 +0000 (19:45 +0200)
committer	David S. Miller <davem@davemloft.net>
	Sat, 30 Jun 2018 12:19:48 +0000 (21:19 +0900)
commit	e614b807505ff987cb8b681aada4ea176288b172
tree	d0adb3b90977c45f998bcd940996cc1462a1906b	tree \| snapshot
parent	f81716a35d6817c5ee04fbc99d7a5fdd101d65f5	commit \| diff

s390/qeth: don't clobber buffer on async TX completion

If qeth_qdio_output_handler() detects that a transmit requires async
completion, it replaces the pending buffer's metadata object
(qeth_qdio_out_buffer) so that this queue buffer can be re-used while
the data is pending completion.

Later when the CQ indicates async completion of such a metadata object,
qeth_qdio_cq_handler() tries to free any data associated with this
object (since HW has now completed the transfer). By calling
qeth_clear_output_buffer(), it erronously operates on the queue buffer
that _previously_ belonged to this transfer ... but which has been
potentially re-used several times by now.
This results in double-free's of the buffer's data, and failing
transmits as the buffer descriptor is scrubbed in mid-air.

The correct way of handling this situation is to
1. scrub the queue buffer when it is prepared for re-use, and
2. later obtain the data addresses from the async-completion notifier
(ie. the AOB), instead of the queue buffer.

All this only affects qeth devices used for af_iucv HiperTransport.

Fixes: a6784ace8198 ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

drivers/s390/net/qeth_core.h		diff \| blob \| history
drivers/s390/net/qeth_core_main.c		diff \| blob \| history