• Julian Wiedmann's avatar
    s390/qeth: don't clobber buffer on async TX completion · ce28867f
    Julian Wiedmann authored
    If qeth_qdio_output_handler() detects that a transmit requires async
    completion, it replaces the pending buffer's metadata object
    (qeth_qdio_out_buffer) so that this queue buffer can be re-used while
    the data is pending completion.
    
    Later when the CQ indicates async completion of such a metadata object,
    qeth_qdio_cq_handler() tries to free any data associated with this
    object (since HW has now completed the transfer). By calling
    qeth_clear_output_buffer(), it erronously operates on the queue buffer
    that _previously_ belonged to this transfer ... but which has been
    potentially re-used several times by now.
    This results in double-free's of the buffer's data, and failing
    transmits as the buffer descriptor is scrubbed in mid-air.
    
    The correct way of handling this situation is to
    1. scrub the queue buffer when it is prepared for re-use, and
    2. later obtain the data addresses from the async-completion notifier
       (ie. the AOB), instead of the queue buffer.
    
    All this only affects qeth devices used for af_iucv HiperTransport.
    
    Fixes: 0da9581d ("qeth: exploit asynchronous delivery of storage blocks")
    Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ce28867f
qeth_core_main.c 181 KB