[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference

This oops was reported recently: d:mon> e cpu 0xd: Vector: 300 (Data Access) at [c0000000fd4c7120] pc: d00000000076f194: .t3_l2t_get+0x44/0x524 [cxgb3] lr: d000000000b02108: .init_act_open+0x150/0x3d4 [cxgb3i] sp: c0000000fd4c73a0 msr: 8000000000009032 dar: 0 dsisr: 40000000 current = 0xc0000000fd640d40 paca = 0xc00000000054ff80 pid = 5085, comm = iscsid d:mon> t [c0000000fd4c7450] d000000000b02108 .init_act_open+0x150/0x3d4 [cxgb3i] [c0000000fd4c7500] d000000000e45378 .cxgbi_ep_connect+0x784/0x8e8 [libcxgbi] [c0000000fd4c7650] d000000000db33f0 .iscsi_if_rx+0x71c/0xb18 [scsi_transport_iscsi2] [c0000000fd4c7740] c000000000370c9c .netlink_data_ready+0x40/0xa4 [c0000000fd4c77c0] c00000000036f010 .netlink_sendskb+0x4c/0x9c [c0000000fd4c7850] c000000000370c18 .netlink_sendmsg+0x358/0x39c [c0000000fd4c7950] c00000000033be24 .sock_sendmsg+0x114/0x1b8 [c0000000fd4c7b50] c00000000033d208 .sys_sendmsg+0x218/0x2ac [c0000000fd4c7d70] c00000000033f55c .sys_socketcall+0x228/0x27c [c0000000fd4c7e30] c0000000000086a4 syscall_exit+0x0/0x40 --- Exception: c01 (System Call) at 00000080da560cfc The root cause was an EEH error, which sent us down the offload_close path in the cxgb3 driver, which in turn sets cdev->l2opt to NULL, without regard for upper layer driver (like the cxgbi drivers) which might have execution contexts in the middle of its use. The result is the oops above, when t3_l2t_get attempts to dereference L2DATA(cdev)->nentries in arp_hash right after the EEH error handler sets it to NULL. The fix is to prevent the setting of the NULL pointer until after there are no further users of it. The t3cdev->l2opt pointer is now converted to be an rcu pointer and the L2DATA macro is now called under the protection of the rcu_read_lock(). When the EEH error path: t3_adapter_error->offload_close->cxgb3_offload_deactivate Is exectured, setting of that l2opt pointer to NULL, is now gated on an rcu quiescence point, preventing, allowing L2DATA callers to safely check for a NULL pointer without concern that the underlying data will be freeded before the pointer is dereferenced. This has been tested by the reporter and shown to fix the reproted oops [nhorman: fix up unitinialised variable reported by Dan Carpenter] Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Reviewed-by: Karen Xie <kxie@chelsio.com> Cc: stable@kernel.org Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: Neil Horman <nhorman@tuxdriver.com> 2011-09-06 13:59:13 -0400
committer: James Bottomley <JBottomley@Parallels.com> 2011-09-26 10:28:01 -0400
commit: e48f129c2f200dde8899f6ea5c6e7173674fc482 (patch)
tree: 9f5acdec1e31c12a7382e26dd173e904fc7fb2a3 /drivers/infiniband/hw/cxgb3
parent: 3538a001ea7db13fa1be2966b71f69d808acff01 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
index 17bf9d95463c..6cd642aaa4de 100644
--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
@@ -287,7 +287,7 @@ void __free_ep(struct kref *kref)
        if (test_bit(RELEASE_RESOURCES, &ep->com.flags)) {
                cxgb3_remove_tid(ep->com.tdev, (void *)ep, ep->hwtid);
                dst_release(ep->dst);
-                l2t_release(L2DATA(ep->com.tdev), ep->l2t);
+                l2t_release(ep->com.tdev, ep->l2t);
        }
        kfree(ep);
 }
@@ -1178,7 +1178,7 @@ static int act_open_rpl(struct t3cdev *tdev, struct sk_buff *skb, void *ctx)
                release_tid(ep->com.tdev, GET_TID(rpl), NULL);
        cxgb3_free_atid(ep->com.tdev, ep->atid);
        dst_release(ep->dst);
-        l2t_release(L2DATA(ep->com.tdev), ep->l2t);
+        l2t_release(ep->com.tdev, ep->l2t);
        put_ep(&ep->com);
        return CPL_RET_BUF_DONE;
 }
@@ -1377,7 +1377,7 @@ static int pass_accept_req(struct t3cdev *tdev, struct sk_buff *skb, void *ctx)
        if (!child_ep) {
                printk(KERN_ERR MOD "%s - failed to allocate ep entry!\n",
                       __func__);
-                l2t_release(L2DATA(tdev), l2t);
+                l2t_release(tdev, l2t);
                dst_release(dst);
                goto reject;
        }
@@ -1956,7 +1956,7 @@ int iwch_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
        if (!err)
                goto out;
-        l2t_release(L2DATA(h->rdev.t3cdev_p), ep->l2t);
+        l2t_release(h->rdev.t3cdev_p, ep->l2t);
 fail4:
        dst_release(ep->dst);
 fail3:
@@ -2127,7 +2127,7 @@ int iwch_ep_redirect(void *ctx, struct dst_entry *old, struct dst_entry *new,
        PDBG("%s ep %p redirect to dst %p l2t %p\n", __func__, ep, new,
             l2t);
        dst_hold(new);
-        l2t_release(L2DATA(ep->com.tdev), ep->l2t);
+        l2t_release(ep->com.tdev, ep->l2t);
        ep->l2t = l2t;
        dst_release(old);
        ep->dst = new;
author	Neil Horman <nhorman@tuxdriver.com>	2011-09-06 13:59:13 -0400
committer	James Bottomley <JBottomley@Parallels.com>	2011-09-26 10:28:01 -0400
commit	e48f129c2f200dde8899f6ea5c6e7173674fc482 (patch)
tree	9f5acdec1e31c12a7382e26dd173e904fc7fb2a3 /drivers/infiniband/hw/cxgb3
parent	3538a001ea7db13fa1be2966b71f69d808acff01 (diff)

diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c index 17bf9d95463c..6cd642aaa4de 100644 --- a/drivers/infiniband/hw/cxgb3/iwch_cm.c +++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
@@ -287,7 +287,7 @@ void __free_ep(struct kref *kref)
287	if (test_bit(RELEASE_RESOURCES, &ep->com.flags)) {	287	if (test_bit(RELEASE_RESOURCES, &ep->com.flags)) {
288	cxgb3_remove_tid(ep->com.tdev, (void *)ep, ep->hwtid);	288	cxgb3_remove_tid(ep->com.tdev, (void *)ep, ep->hwtid);
289	dst_release(ep->dst);	289	dst_release(ep->dst);
290	l2t_release(L2DATA(ep->com.tdev), ep->l2t);	290	l2t_release(ep->com.tdev, ep->l2t);
291	}	291	}
292	kfree(ep);	292	kfree(ep);
293	}	293	}
@@ -1178,7 +1178,7 @@ static int act_open_rpl(struct t3cdev tdev, struct sk_buff skb, void *ctx)
1178	release_tid(ep->com.tdev, GET_TID(rpl), NULL);	1178	release_tid(ep->com.tdev, GET_TID(rpl), NULL);
1179	cxgb3_free_atid(ep->com.tdev, ep->atid);	1179	cxgb3_free_atid(ep->com.tdev, ep->atid);
1180	dst_release(ep->dst);	1180	dst_release(ep->dst);
1181	l2t_release(L2DATA(ep->com.tdev), ep->l2t);	1181	l2t_release(ep->com.tdev, ep->l2t);
1182	put_ep(&ep->com);	1182	put_ep(&ep->com);
1183	return CPL_RET_BUF_DONE;	1183	return CPL_RET_BUF_DONE;
1184	}	1184	}
@@ -1377,7 +1377,7 @@ static int pass_accept_req(struct t3cdev tdev, struct sk_buff skb, void *ctx)
1377	if (!child_ep) {	1377	if (!child_ep) {
1378	printk(KERN_ERR MOD "%s - failed to allocate ep entry!\n",	1378	printk(KERN_ERR MOD "%s - failed to allocate ep entry!\n",
1379	__func__);	1379	__func__);
1380	l2t_release(L2DATA(tdev), l2t);	1380	l2t_release(tdev, l2t);
1381	dst_release(dst);	1381	dst_release(dst);
1382	goto reject;	1382	goto reject;
1383	}	1383	}
@@ -1956,7 +1956,7 @@ int iwch_connect(struct iw_cm_id cm_id, struct iw_cm_conn_param conn_param)
1956	if (!err)	1956	if (!err)
1957	goto out;	1957	goto out;
1958		1958
1959	l2t_release(L2DATA(h->rdev.t3cdev_p), ep->l2t);	1959	l2t_release(h->rdev.t3cdev_p, ep->l2t);
1960	fail4:	1960	fail4:
1961	dst_release(ep->dst);	1961	dst_release(ep->dst);
1962	fail3:	1962	fail3:
@@ -2127,7 +2127,7 @@ int iwch_ep_redirect(void ctx, struct dst_entry old, struct dst_entry *new,
2127	PDBG("%s ep %p redirect to dst %p l2t %p\n", __func__, ep, new,	2127	PDBG("%s ep %p redirect to dst %p l2t %p\n", __func__, ep, new,
2128	l2t);	2128	l2t);
2129	dst_hold(new);	2129	dst_hold(new);
2130	l2t_release(L2DATA(ep->com.tdev), ep->l2t);	2130	l2t_release(ep->com.tdev, ep->l2t);
2131	ep->l2t = l2t;	2131	ep->l2t = l2t;
2132	dst_release(old);	2132	dst_release(old);
2133	ep->dst = new;	2133	ep->dst = new;