Author: np
Date: Wed Mar 15 19:10:04 2017
New Revision: 315325
URL: https://svnweb.freebsd.org/changeset/base/315325
Log:
cxgbe/iw_cxgbe: Use the socket and not the toepcb to reach for the
inpcb. t4_tom detaches the inpcb from the toepcb as soon as the
hardware is done with the connection (in final_cpl_received) but the
socket is around as long as the cm_id and the rest of iWARP state is.
This fixes an intermittent NULL dereference during abort.
Submitted by: KrishnamRaju ErapaRaju @ Chelsio
MFC after: 3 days
Sponsored by: Chelsio Communications
Modified:
head/sys/dev/cxgbe/iw_cxgbe/qp.c
Modified: head/sys/dev/cxgbe/iw_cxgbe/qp.c
==============================================================================
--- head/sys/dev/cxgbe/iw_cxgbe/qp.c Wed Mar 15 18:57:18 2017
(r315324)
+++ head/sys/dev/cxgbe/iw_cxgbe/qp.c Wed Mar 15 19:10:04 2017
(r315325)
@@ -64,7 +64,7 @@ struct cpl_set_tcb_rpl;
#include "iw_cxgbe.h"
#include "user.h"
-static void creds(struct toepcb *toep, size_t wrsize);
+static int creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize);
static void set_state(struct c4iw_qp *qhp, enum c4iw_qp_state state)
@@ -961,6 +961,7 @@ static inline void build_term_codes(stru
static void post_terminate(struct c4iw_qp *qhp, struct t4_cqe *err_cqe,
gfp_t gfp)
{
+ int ret;
struct fw_ri_wr *wqe;
struct terminate_message *term;
struct wrqe *wr;
@@ -991,7 +992,11 @@ static void post_terminate(struct c4iw_q
term->ecode = qhp->attr.ecode;
} else
build_term_codes(err_cqe, &term->layer_etype, &term->ecode);
- creds(toep, sizeof(*wqe));
+ ret = creds(toep, inp, sizeof(*wqe));
+ if (ret) {
+ free_wrqe(wr);
+ return;
+ }
t4_wrq_tx(qhp->rhp->rdev.adap, wr);
}
@@ -1094,7 +1099,11 @@ rdma_fini(struct c4iw_dev *rhp, struct c
c4iw_init_wr_wait(&ep->com.wr_wait);
- creds(toep, sizeof(*wqe));
+ ret = creds(toep, inp, sizeof(*wqe));
+ if (ret) {
+ free_wrqe(wr);
+ return ret;
+ }
t4_wrq_tx(sc, wr);
ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid,
@@ -1127,13 +1136,17 @@ static void build_rtr_msg(u8 p2p_type, s
}
}
-static void
-creds(struct toepcb *toep, size_t wrsize)
+static int
+creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize)
{
struct ofld_tx_sdesc *txsd;
CTR3(KTR_IW_CXGBE, "%s:creB %p %u", __func__, toep , wrsize);
- INP_WLOCK(toep->inp);
+ INP_WLOCK(inp);
+ if ((inp->inp_flags & (INP_DROPPED | INP_TIMEWAIT)) != 0) {
+ INP_WUNLOCK(inp);
+ return (EINVAL);
+ }
txsd = &toep->txsd[toep->txsd_pidx];
txsd->tx_credits = howmany(wrsize, 16);
txsd->plen = 0;
@@ -1143,9 +1156,10 @@ creds(struct toepcb *toep, size_t wrsize
if (__predict_false(++toep->txsd_pidx == toep->txsd_total))
toep->txsd_pidx = 0;
toep->txsd_avail--;
- INP_WUNLOCK(toep->inp);
+ INP_WUNLOCK(inp);
CTR5(KTR_IW_CXGBE, "%s:creE %p %u %u %u", __func__, toep ,
txsd->tx_credits, toep->tx_credits, toep->txsd_pidx);
+ return (0);
}
static int rdma_init(struct c4iw_dev *rhp, struct c4iw_qp *qhp)
@@ -1216,7 +1230,11 @@ static int rdma_init(struct c4iw_dev *rh
c4iw_init_wr_wait(&ep->com.wr_wait);
- creds(toep, sizeof(*wqe));
+ ret = creds(toep, inp, sizeof(*wqe));
+ if (ret) {
+ free_wrqe(wr);
+ return ret;
+ }
t4_wrq_tx(sc, wr);
ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid,
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
