svn commit: r315868 - stable/10/sys/dev/cxgbe/iw_cxgbe

Navdeep Parhar np at FreeBSD.org
Thu Mar 23 20:23:02 UTC 2017


Author: np
Date: Thu Mar 23 20:23:00 2017
New Revision: 315868
URL: https://svnweb.freebsd.org/changeset/base/315868

Log:
  MFC r314814 and r315325.
  
  r314814:
  cxgbe/iw_cxgbe: Abort connection if there is an error during c4iw_modify_qp.
  
  r315325:
  cxgbe/iw_cxgbe: Use the socket and not the toepcb to reach for the
  inpcb.  t4_tom detaches the inpcb from the toepcb as soon as the
  hardware is done with the connection (in final_cpl_received) but the
  socket is around as long as the cm_id and the rest of iWARP state is.
  
  This fixes an intermittent NULL dereference during abort.

Modified:
  stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c
==============================================================================
--- stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c	Thu Mar 23 19:54:41 2017	(r315867)
+++ stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c	Thu Mar 23 20:23:00 2017	(r315868)
@@ -63,7 +63,7 @@ struct rss_header;
 #include "iw_cxgbe.h"
 #include "user.h"
 
-static void creds(struct toepcb *toep, size_t wrsize);
+static int creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize);
 
 
 static void set_state(struct c4iw_qp *qhp, enum c4iw_qp_state state)
@@ -960,6 +960,7 @@ static inline void build_term_codes(stru
 static void post_terminate(struct c4iw_qp *qhp, struct t4_cqe *err_cqe,
 			   gfp_t gfp)
 {
+	int ret;
 	struct fw_ri_wr *wqe;
 	struct terminate_message *term;
 	struct wrqe *wr;
@@ -990,7 +991,11 @@ static void post_terminate(struct c4iw_q
 		term->ecode = qhp->attr.ecode;
 	} else
 		build_term_codes(err_cqe, &term->layer_etype, &term->ecode);
-        creds(toep, sizeof(*wqe));
+	ret = creds(toep, inp, sizeof(*wqe));
+	if (ret) {
+		free_wrqe(wr);
+		return;
+	}
 	t4_wrq_tx(qhp->rhp->rdev.adap, wr);
 }
 
@@ -1093,7 +1098,11 @@ rdma_fini(struct c4iw_dev *rhp, struct c
 
 	c4iw_init_wr_wait(&ep->com.wr_wait);
 
-        creds(toep, sizeof(*wqe));
+	ret = creds(toep, inp, sizeof(*wqe));
+	if (ret) {
+		free_wrqe(wr);
+		return ret;
+	}
 	t4_wrq_tx(sc, wr);
 
 	ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid,
@@ -1126,13 +1135,17 @@ static void build_rtr_msg(u8 p2p_type, s
 	}
 }
 
-static void
-creds(struct toepcb *toep, size_t wrsize)
+static int
+creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize)
 {
 	struct ofld_tx_sdesc *txsd;
 
 	CTR3(KTR_IW_CXGBE, "%s:creB  %p %u", __func__, toep , wrsize);
-	INP_WLOCK(toep->inp);
+	INP_WLOCK(inp);
+	if ((inp->inp_flags & (INP_DROPPED | INP_TIMEWAIT)) != 0) {
+		INP_WUNLOCK(inp);
+		return (EINVAL);
+	}
 	txsd = &toep->txsd[toep->txsd_pidx];
 	txsd->tx_credits = howmany(wrsize, 16);
 	txsd->plen = 0;
@@ -1142,9 +1155,10 @@ creds(struct toepcb *toep, size_t wrsize
 	if (__predict_false(++toep->txsd_pidx == toep->txsd_total))
 		toep->txsd_pidx = 0;
 	toep->txsd_avail--;
-	INP_WUNLOCK(toep->inp);
+	INP_WUNLOCK(inp);
 	CTR5(KTR_IW_CXGBE, "%s:creE  %p %u %u %u", __func__, toep ,
 	    txsd->tx_credits, toep->tx_credits, toep->txsd_pidx);
+	return (0);
 }
 
 static int rdma_init(struct c4iw_dev *rhp, struct c4iw_qp *qhp)
@@ -1215,7 +1229,11 @@ static int rdma_init(struct c4iw_dev *rh
 
 	c4iw_init_wr_wait(&ep->com.wr_wait);
 
-	creds(toep, sizeof(*wqe));
+	ret = creds(toep, inp, sizeof(*wqe));
+	if (ret) {
+		free_wrqe(wr);
+		return ret;
+	}
 	t4_wrq_tx(sc, wr);
 
 	ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid,
@@ -1426,6 +1444,7 @@ err:
 	qhp->ep = NULL;
 	set_state(qhp, C4IW_QP_STATE_ERROR);
 	free = 1;
+	abort = 1;
 	BUG_ON(!ep);
 	flush_qp(qhp);
 	wake_up(&qhp->wait);


More information about the svn-src-stable-10 mailing list