IB/ipoib: Fix RCU pointer dereference of wrong object

Commit b63b70d87741 ("IPoIB: Use a private hash table for path lookup
in xmit path") introduced a bug where in ipoib_neigh_free() (which is
called from a few errors flows in the driver), rcu_dereference() is
invoked with the wrong pointer object, which results in a crash.

Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 97920b77a5d0abe2f378ed060aa8243a2c5c33e7..3e2085a3ee474fc0111c7034ca013bfda7d63d7e 100644 (file)
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1052,7 +1052,7 @@ void ipoib_neigh_free(struct ipoib_neigh *neigh)
        for (n = rcu_dereference_protected(*np,
                                            lockdep_is_held(&ntbl->rwlock));
             n != NULL;
-            n = rcu_dereference_protected(neigh->hnext,
+            n = rcu_dereference_protected(*np,
                                        lockdep_is_held(&ntbl->rwlock))) {
                if (n == neigh) {
                        /* found */