Description: qeth: don't clobber buffer on async TX completion
Symptom: Failing transmissions on af_iucv HiperTransport socket.
Problem: If qeth_qdio_output_handler() detects that a transmit requires async completion, it replaces the pending buffer's metadata object (qeth_qdio_out_buffer) so that this queue buffer can be re-used while the data is pending completion.
Later when the CQ indicates async completion of such a metadata object, qeth_qdio_cq_handler() tries to free any
data associated with this object (since HW has now completed
the transfer). By calling qeth_clear_output_buffer(), it erronously operates on the queue buffer that _previously_ belonged to this transfer ... but which has been potentially re-used several times by now. This results in double-free's
of the buffer's data, and failing transmits as the buffer descriptor is scrubbed in mid-air.
Solution: First only scrub the queue buffer when it is prepared
for re-use, and later obtain the data addresses from
the async-completion notifier (ie. the AOB), instead
of the queue buffer.
Reproduction: Heavy multi-connection workload on an af_iucv HiperTransport socket.
Description: qeth: don't clobber buffer on async TX completion
Symptom: Failing transmissions on af_iucv HiperTransport socket.
Problem: If qeth_qdio_ output_ handler( ) detects that a transmit
requires async completion, it replaces the pending buffer's
metadata object (qeth_qdio_ out_buffer) so that this queue
buffer can be re-used while the data is pending completion.
metadata object, qeth_qdio_ cq_handler( ) tries to free any output_ buffer( ), it
erronously operates on the queue buffer that _previously_
belonged to this transfer ... but which has been potentially
re-used several times by now. This results in double-free's
descriptor is scrubbed in mid-air.
Later when the CQ indicates async completion of such a
data associated with this object (since HW has now completed
the transfer). By calling qeth_clear_
of the buffer's data, and failing transmits as the buffer
Solution: First only scrub the queue buffer when it is prepared
for re-use, and later obtain the data addresses from
the async-completion notifier (ie. the AOB), instead
of the queue buffer.
Reproduction: Heavy multi-connection workload on an af_iucv
HiperTransport socket.
Upstream-ID: ce28867fd20c23c d769e78b4d619c4 755bf71a1c
Kernel 4.18
Will be introduced with kernel 4.18 in Cosmic.
But should also be applied to Bionic and Xenial