isert: wait for RDMA CM event to complete before destroy resources

There is a race between RDMACM event handler and isert_conn_free. The event handler use the connection resources and isert_conn_free destroy them. This commit fix multiple NULL dereference bugs. Signed-off-by: Israel Rukshin <israelr@mellanox.com> git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@6877 d57e44dd-8a1f-0410-8b47-8ef2f437770f
2026-05-20 20:21:30 +00:00 · 2016-04-26 14:12:47 +00:00
parent f297ef6f38
commit 0283a854ed
1 changed files with 4 additions and 10 deletions
--- a/iscsi-scst/kernel/isert-scst/iser_rdma.c
+++ b/iscsi-scst/kernel/isert-scst/iser_rdma.c
@@ -1157,12 +1157,6 @@ fail_create_qp:
 	goto out;
 }

-static void isert_conn_qp_destroy(struct isert_connection *isert_conn)
-{
-	rdma_destroy_qp(isert_conn->cm_id);
-	isert_conn->qp = NULL;
-}
-
 static struct isert_connection *isert_conn_create(struct rdma_cm_id *cm_id,
 						  struct isert_device *isert_dev)
 {
@@ -1239,7 +1233,7 @@ fail_post_recv:
 	mutex_lock(&dev_list_mutex);
 	isert_dev->cq_qps[cq->idx]--;
 	mutex_unlock(&dev_list_mutex);
-	isert_conn_qp_destroy(isert_conn);
+	rdma_destroy_qp(isert_conn->cm_id);
 fail_qp:
 	isert_pdu_free(isert_conn->login_rsp_pdu);
 fail_login_rsp_pdu:
@@ -1273,7 +1267,9 @@ static void isert_kref_free(struct kref *kref)

 	isert_free_conn_resources(isert_conn);

-	isert_conn_qp_destroy(isert_conn);
+	rdma_destroy_id(isert_conn->cm_id);
+	ib_destroy_qp(isert_conn->qp);
+	isert_conn->qp = NULL;

 	mutex_lock(&dev_list_mutex);
 	isert_dev->cq_qps[cq->idx]--;
@@ -1283,8 +1279,6 @@ static void isert_kref_free(struct kref *kref)
 		isert_portal_free(isert_conn->portal);
 	mutex_unlock(&dev_list_mutex);

-	rdma_destroy_id(isert_conn->cm_id);
-
 	isert_conn_kfree(isert_conn);

 	module_put(THIS_MODULE);