From owner-svn-src-stable@freebsd.org Thu Mar 23 20:23:01 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E71E6CA179B; Thu, 23 Mar 2017 20:23:01 +0000 (UTC) (envelope-from np@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C1B9316DE; Thu, 23 Mar 2017 20:23:01 +0000 (UTC) (envelope-from np@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2NKN03t093434; Thu, 23 Mar 2017 20:23:00 GMT (envelope-from np@FreeBSD.org) Received: (from np@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2NKN0WL093433; Thu, 23 Mar 2017 20:23:00 GMT (envelope-from np@FreeBSD.org) Message-Id: <201703232023.v2NKN0WL093433@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: np set sender to np@FreeBSD.org using -f From: Navdeep Parhar Date: Thu, 23 Mar 2017 20:23:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r315868 - stable/10/sys/dev/cxgbe/iw_cxgbe X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 20:23:02 -0000 Author: np Date: Thu Mar 23 20:23:00 2017 New Revision: 315868 URL: https://svnweb.freebsd.org/changeset/base/315868 Log: MFC r314814 and r315325. r314814: cxgbe/iw_cxgbe: Abort connection if there is an error during c4iw_modify_qp. r315325: cxgbe/iw_cxgbe: Use the socket and not the toepcb to reach for the inpcb. t4_tom detaches the inpcb from the toepcb as soon as the hardware is done with the connection (in final_cpl_received) but the socket is around as long as the cm_id and the rest of iWARP state is. This fixes an intermittent NULL dereference during abort. Modified: stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c ============================================================================== --- stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c Thu Mar 23 19:54:41 2017 (r315867) +++ stable/10/sys/dev/cxgbe/iw_cxgbe/qp.c Thu Mar 23 20:23:00 2017 (r315868) @@ -63,7 +63,7 @@ struct rss_header; #include "iw_cxgbe.h" #include "user.h" -static void creds(struct toepcb *toep, size_t wrsize); +static int creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize); static void set_state(struct c4iw_qp *qhp, enum c4iw_qp_state state) @@ -960,6 +960,7 @@ static inline void build_term_codes(stru static void post_terminate(struct c4iw_qp *qhp, struct t4_cqe *err_cqe, gfp_t gfp) { + int ret; struct fw_ri_wr *wqe; struct terminate_message *term; struct wrqe *wr; @@ -990,7 +991,11 @@ static void post_terminate(struct c4iw_q term->ecode = qhp->attr.ecode; } else build_term_codes(err_cqe, &term->layer_etype, &term->ecode); - creds(toep, sizeof(*wqe)); + ret = creds(toep, inp, sizeof(*wqe)); + if (ret) { + free_wrqe(wr); + return; + } t4_wrq_tx(qhp->rhp->rdev.adap, wr); } @@ -1093,7 +1098,11 @@ rdma_fini(struct c4iw_dev *rhp, struct c c4iw_init_wr_wait(&ep->com.wr_wait); - creds(toep, sizeof(*wqe)); + ret = creds(toep, inp, sizeof(*wqe)); + if (ret) { + free_wrqe(wr); + return ret; + } t4_wrq_tx(sc, wr); ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid, @@ -1126,13 +1135,17 @@ static void build_rtr_msg(u8 p2p_type, s } } -static void -creds(struct toepcb *toep, size_t wrsize) +static int +creds(struct toepcb *toep, struct inpcb *inp, size_t wrsize) { struct ofld_tx_sdesc *txsd; CTR3(KTR_IW_CXGBE, "%s:creB %p %u", __func__, toep , wrsize); - INP_WLOCK(toep->inp); + INP_WLOCK(inp); + if ((inp->inp_flags & (INP_DROPPED | INP_TIMEWAIT)) != 0) { + INP_WUNLOCK(inp); + return (EINVAL); + } txsd = &toep->txsd[toep->txsd_pidx]; txsd->tx_credits = howmany(wrsize, 16); txsd->plen = 0; @@ -1142,9 +1155,10 @@ creds(struct toepcb *toep, size_t wrsize if (__predict_false(++toep->txsd_pidx == toep->txsd_total)) toep->txsd_pidx = 0; toep->txsd_avail--; - INP_WUNLOCK(toep->inp); + INP_WUNLOCK(inp); CTR5(KTR_IW_CXGBE, "%s:creE %p %u %u %u", __func__, toep , txsd->tx_credits, toep->tx_credits, toep->txsd_pidx); + return (0); } static int rdma_init(struct c4iw_dev *rhp, struct c4iw_qp *qhp) @@ -1215,7 +1229,11 @@ static int rdma_init(struct c4iw_dev *rh c4iw_init_wr_wait(&ep->com.wr_wait); - creds(toep, sizeof(*wqe)); + ret = creds(toep, inp, sizeof(*wqe)); + if (ret) { + free_wrqe(wr); + return ret; + } t4_wrq_tx(sc, wr); ret = c4iw_wait_for_reply(rdev, &ep->com.wr_wait, ep->hwtid, @@ -1426,6 +1444,7 @@ err: qhp->ep = NULL; set_state(qhp, C4IW_QP_STATE_ERROR); free = 1; + abort = 1; BUG_ON(!ep); flush_qp(qhp); wake_up(&qhp->wait);