From: Roland Dreier Date: Sun, 30 Oct 2005 21:07:03 +0000 (-0800) Subject: [IB] mthca: Avoid SRQ free WQE list corruption X-Git-Tag: v2.6.15-rc1~726^2~2^2~8 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5b251a24a9cd34a7ef98e361eb94e7ab122a554;p=linux-2.6 [IB] mthca: Avoid SRQ free WQE list corruption Fix wqe_to_link() to use a structure field that we know is definitely always unused for receive work requests, so that it really avoids the free list corruption bug that the comment claims it does. Signed-off-by: Roland Dreier --- diff --git a/drivers/infiniband/hw/mthca/mthca_srq.c b/drivers/infiniband/hw/mthca/mthca_srq.c index 64f70aa1b3..292f55be8c 100644 --- a/drivers/infiniband/hw/mthca/mthca_srq.c +++ b/drivers/infiniband/hw/mthca/mthca_srq.c @@ -75,15 +75,16 @@ static void *get_wqe(struct mthca_srq *srq, int n) /* * Return a pointer to the location within a WQE that we're using as a - * link when the WQE is in the free list. We use an offset of 4 - * because in the Tavor case, posting a WQE may overwrite the first - * four bytes of the previous WQE. The offset avoids corrupting our - * free list if the WQE has already completed and been put on the free - * list when we post the next WQE. + * link when the WQE is in the free list. We use the imm field + * because in the Tavor case, posting a WQE may overwrite the next + * segment of the previous WQE, but a receive WQE will never touch the + * imm field. This avoids corrupting our free list if the previous + * WQE has already completed and been put on the free list when we + * post the next WQE. */ static inline int *wqe_to_link(void *wqe) { - return (int *) (wqe + 4); + return (int *) (wqe + offsetof(struct mthca_next_seg, imm)); } static void mthca_tavor_init_srq_context(struct mthca_dev *dev,