From 0283a854ed764ff3799a11e1f04dbd09ec40c816 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Tue, 26 Apr 2016 14:12:47 +0000 Subject: [PATCH] isert: wait for RDMA CM event to complete before destroy resources There is a race between RDMACM event handler and isert_conn_free. The event handler use the connection resources and isert_conn_free destroy them. This commit fix multiple NULL dereference bugs. Signed-off-by: Israel Rukshin git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@6877 d57e44dd-8a1f-0410-8b47-8ef2f437770f --- iscsi-scst/kernel/isert-scst/iser_rdma.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/iscsi-scst/kernel/isert-scst/iser_rdma.c b/iscsi-scst/kernel/isert-scst/iser_rdma.c index fc038695d..92f98fcb8 100644 --- a/iscsi-scst/kernel/isert-scst/iser_rdma.c +++ b/iscsi-scst/kernel/isert-scst/iser_rdma.c @@ -1157,12 +1157,6 @@ fail_create_qp: goto out; } -static void isert_conn_qp_destroy(struct isert_connection *isert_conn) -{ - rdma_destroy_qp(isert_conn->cm_id); - isert_conn->qp = NULL; -} - static struct isert_connection *isert_conn_create(struct rdma_cm_id *cm_id, struct isert_device *isert_dev) { @@ -1239,7 +1233,7 @@ fail_post_recv: mutex_lock(&dev_list_mutex); isert_dev->cq_qps[cq->idx]--; mutex_unlock(&dev_list_mutex); - isert_conn_qp_destroy(isert_conn); + rdma_destroy_qp(isert_conn->cm_id); fail_qp: isert_pdu_free(isert_conn->login_rsp_pdu); fail_login_rsp_pdu: @@ -1273,7 +1267,9 @@ static void isert_kref_free(struct kref *kref) isert_free_conn_resources(isert_conn); - isert_conn_qp_destroy(isert_conn); + rdma_destroy_id(isert_conn->cm_id); + ib_destroy_qp(isert_conn->qp); + isert_conn->qp = NULL; mutex_lock(&dev_list_mutex); isert_dev->cq_qps[cq->idx]--; @@ -1283,8 +1279,6 @@ static void isert_kref_free(struct kref *kref) isert_portal_free(isert_conn->portal); mutex_unlock(&dev_list_mutex); - rdma_destroy_id(isert_conn->cm_id); - isert_conn_kfree(isert_conn); module_put(THIS_MODULE);