IB/iser: Fix error flow in iser ep connection establishment

The current error flow code was releasing the IB connection object and calling iscsi_destroy_endpoint() directly without going through the reference counting mechanism introduced in commit 39ff05d ("IB/iser: Enhance disconnection logic for multi-pathing"). This resulted in a double free of the iscsi endpoint object, which causes a kernel NULL pointer dereference. Fix that by plugging into the IB conn reference counting correctly. Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by: Roland Dreier <roland@purestorage.com>
author: Or Gerlitz <ogerlitz@mellanox.com> 2012-04-29 10:04:21 -0400
committer: Roland Dreier <roland@purestorage.com> 2012-05-18 20:05:31 -0400
commit: 7d9c0de4ab4ec00b8349d1af0b736a0d473671c2 (patch)
tree: ea98903ee548b01debd791d2294a3d9bd4df266a /drivers/infiniband
parent: d48b97b403d23f6df0b990cee652bdf9a52337a3 (diff)
2 files changed, 4 insertions, 4 deletions
diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c
index db43b3117168..0ab8c9cc3a78 100644
--- a/drivers/infiniband/ulp/iser/iscsi_iser.c
+++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
@@ -573,10 +573,9 @@ iscsi_iser_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
        err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr,
                           non_blocking);
-        if (err) {
+        if (err)
-                iscsi_destroy_endpoint(ep);
                return ERR_PTR(err);
-        }
        return ep;
 }
diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c
index 14224ba44fd8..2dddabd8fcf9 100644
--- a/drivers/infiniband/ulp/iser/iser_verbs.c
+++ b/drivers/infiniband/ulp/iser/iser_verbs.c
@@ -613,8 +613,9 @@ id_failure:
        ib_conn->cma_id = NULL;
 addr_failure:
        ib_conn->state = ISER_CONN_DOWN;
+        iser_conn_put(ib_conn, 1); /* deref ib conn's cma id */
 connect_failure:
-        iser_conn_release(ib_conn, 1);
+        iser_conn_put(ib_conn, 1); /* deref ib conn deallocate */
        return err;
 }
author	Or Gerlitz <ogerlitz@mellanox.com>	2012-04-29 10:04:21 -0400
committer	Roland Dreier <roland@purestorage.com>	2012-05-18 20:05:31 -0400
commit	7d9c0de4ab4ec00b8349d1af0b736a0d473671c2 (patch)
tree	ea98903ee548b01debd791d2294a3d9bd4df266a /drivers/infiniband
parent	d48b97b403d23f6df0b990cee652bdf9a52337a3 (diff)

diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c index db43b3117168..0ab8c9cc3a78 100644 --- a/drivers/infiniband/ulp/iser/iscsi_iser.c +++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
@@ -573,10 +573,9 @@ iscsi_iser_ep_connect(struct Scsi_Host shost, struct sockaddr dst_addr,
573		573
574	err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr,	574	err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr,
575	non_blocking);	575	non_blocking);
576	if (err) {	576	if (err)
577	iscsi_destroy_endpoint(ep);
578	return ERR_PTR(err);	577	return ERR_PTR(err);
579	}	578
580	return ep;	579	return ep;
581	}	580	}
582		581


diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c index 14224ba44fd8..2dddabd8fcf9 100644 --- a/drivers/infiniband/ulp/iser/iser_verbs.c +++ b/drivers/infiniband/ulp/iser/iser_verbs.c
@@ -613,8 +613,9 @@ id_failure:
613	ib_conn->cma_id = NULL;	613	ib_conn->cma_id = NULL;
614	addr_failure:	614	addr_failure:
615	ib_conn->state = ISER_CONN_DOWN;	615	ib_conn->state = ISER_CONN_DOWN;
		616	iser_conn_put(ib_conn, 1); /* deref ib conn's cma id */
616	connect_failure:	617	connect_failure:
617	iser_conn_release(ib_conn, 1);	618	iser_conn_put(ib_conn, 1); /* deref ib conn deallocate */
618	return err;	619	return err;
619	}	620	}
620		621