net/smc: use after free fix in smc_wr_tx_put_slot()

[uclinux-h8/linux.git] / net / smc / smc_wr.c

diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
index f856b84..c269475 100644 (file)
--- a/net/smc/smc_wr.c
+++ b/net/smc/smc_wr.c
@@ -215,12 +215,14 @@ int smc_wr_tx_put_slot(struct smc_link *link,
 
        pend = container_of(wr_pend_priv, struct smc_wr_tx_pend, priv);
        if (pend->idx < link->wr_tx_cnt) {
+               u32 idx = pend->idx;
+
                /* clear the full struct smc_wr_tx_pend including .priv */
                memset(&link->wr_tx_pends[pend->idx], 0,
                       sizeof(link->wr_tx_pends[pend->idx]));
                memset(&link->wr_tx_bufs[pend->idx], 0,
                       sizeof(link->wr_tx_bufs[pend->idx]));
-               test_and_clear_bit(pend->idx, link->wr_tx_mask);
+               test_and_clear_bit(idx, link->wr_tx_mask);
                return 1;
        }
 
@@ -232,15 +234,13 @@ int smc_wr_tx_put_slot(struct smc_link *link,
  */
 int smc_wr_tx_send(struct smc_link *link, struct smc_wr_tx_pend_priv *priv)
 {
-       struct ib_send_wr *failed_wr = NULL;
        struct smc_wr_tx_pend *pend;
        int rc;
 
        ib_req_notify_cq(link->smcibdev->roce_cq_send,
                         IB_CQ_NEXT_COMP | IB_CQ_REPORT_MISSED_EVENTS);
        pend = container_of(priv, struct smc_wr_tx_pend, priv);
-       rc = ib_post_send(link->roce_qp, &link->wr_tx_ibs[pend->idx],
-                         &failed_wr);
+       rc = ib_post_send(link->roce_qp, &link->wr_tx_ibs[pend->idx], NULL);
        if (rc) {
                smc_wr_tx_put_slot(link, priv);
                smc_lgr_terminate(smc_get_lgr(link));
@@ -251,7 +251,6 @@ int smc_wr_tx_send(struct smc_link *link, struct smc_wr_tx_pend_priv *priv)
 /* Register a memory region and wait for result. */
 int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr)
 {
-       struct ib_send_wr *failed_wr = NULL;
        int rc;
 
        ib_req_notify_cq(link->smcibdev->roce_cq_send,
@@ -260,9 +259,7 @@ int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr)
        link->wr_reg.wr.wr_id = (u64)(uintptr_t)mr;
        link->wr_reg.mr = mr;
        link->wr_reg.key = mr->rkey;
-       failed_wr = &link->wr_reg.wr;
-       rc = ib_post_send(link->roce_qp, &link->wr_reg.wr, &failed_wr);
-       WARN_ON(failed_wr != &link->wr_reg.wr);
+       rc = ib_post_send(link->roce_qp, &link->wr_reg.wr, NULL);
        if (rc)
                return rc;