From owner-svn-src-all@FreeBSD.ORG  Sat Jan 26 03:23:29 2013
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 630DC543;
 Sat, 26 Jan 2013 03:23:29 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 3403CB4F;
 Sat, 26 Jan 2013 03:23:29 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r0Q3NTgg033896;
 Sat, 26 Jan 2013 03:23:29 GMT (envelope-from np@svn.freebsd.org)
Received: (from np@localhost)
 by svn.freebsd.org (8.14.5/8.14.5/Submit) id r0Q3NTF3033895;
 Sat, 26 Jan 2013 03:23:29 GMT (envelope-from np@svn.freebsd.org)
Message-Id: <201301260323.r0Q3NTF3033895@svn.freebsd.org>
From: Navdeep Parhar <np@FreeBSD.org>
Date: Sat, 26 Jan 2013 03:23:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r245937 - head/sys/dev/cxgbe/tom
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jan 2013 03:23:29 -0000

Author: np
Date: Sat Jan 26 03:23:28 2013
New Revision: 245937
URL: http://svnweb.freebsd.org/changeset/base/245937

Log:
  Install an extra hold on the newly allocated synq entry so that it
  cannot be freed while do_pass_accept_req is running.  This closes a race
  where do_pass_establish on another CPU (the driver chose a different
  queue for the new tid) expands the synq entry into a full PCB and then
  releases the only hold on it, all while do_pass_accept_req is still
  running.
  
  MFC after:	3 days

Modified:
  head/sys/dev/cxgbe/tom/t4_listen.c

Modified: head/sys/dev/cxgbe/tom/t4_listen.c
==============================================================================
--- head/sys/dev/cxgbe/tom/t4_listen.c	Sat Jan 26 03:10:28 2013	(r245936)
+++ head/sys/dev/cxgbe/tom/t4_listen.c	Sat Jan 26 03:23:28 2013	(r245937)
@@ -954,7 +954,7 @@ mbuf_to_synqe(struct mbuf *m)
 			return (NULL);
 		synqe->flags = TPF_SYNQE | TPF_SYNQE_NEEDFREE;
 	} else {
-		synqe = (void *)(m->m_data + m->m_len + tspace - sizeof(*synqe));
+		synqe = (void *)(m->m_data + m->m_len + tspace - len);
 		synqe->flags = TPF_SYNQE;
 	}
 
@@ -1335,7 +1335,7 @@ do_pass_accept_req(struct sge_iq *iq, co
 	synqe->lctx = lctx;
 	synqe->syn = m;
 	m = NULL;
-	refcount_init(&synqe->refcnt, 0);
+	refcount_init(&synqe->refcnt, 1);	/* 1 means extra hold */
 	synqe->l2e_idx = e->idx;
 	synqe->rcv_bufsize = rx_credits;
 	atomic_store_rel_ptr(&synqe->wr, (uintptr_t)wr);
@@ -1381,6 +1381,7 @@ do_pass_accept_req(struct sge_iq *iq, co
 		if (inp)
 			INP_WUNLOCK(inp);
 
+		release_synqe(synqe);	/* extra hold */
 		REJECT_PASS_ACCEPT();
 	}
 
@@ -1395,15 +1396,19 @@ do_pass_accept_req(struct sge_iq *iq, co
 		 * this tid because there was no L2T entry for the tid at that
 		 * time.  Abort it now.  The reply to the abort will clean up.
 		 */
-		CTR5(KTR_CXGBE, "%s: stid %u, tid %u, lctx %p, synqe %p, ABORT",
-		    __func__, stid, tid, lctx, synqe);
-		send_reset_synqe(tod, synqe);
+		CTR6(KTR_CXGBE,
+		    "%s: stid %u, tid %u, lctx %p, synqe %p (0x%x), ABORT",
+		    __func__, stid, tid, lctx, synqe, synqe->flags);
+		if (!(synqe->flags & TPF_SYNQE_EXPANDED))
+			send_reset_synqe(tod, synqe);
 		INP_WUNLOCK(inp);
 
+		release_synqe(synqe);	/* extra hold */
 		return (__LINE__);
 	}
 	INP_WUNLOCK(inp);
 
+	release_synqe(synqe);	/* extra hold */
 	return (0);
 reject:
 	CTR4(KTR_CXGBE, "%s: stid %u, tid %u, REJECT (%d)", __func__, stid, tid,