From: "Bhanu Prakash Gollapudi" <bprakash@broadcom.com>
To: JBottomley@parallels.com, linux-scsi@vger.kernel.org
Cc: michaelc@cs.wisc.edu, mchan@broadcom.com,
robert.w.love@intel.com, devel@open-fcoe.org,
Bhanu Prakash Gollapudi <bprakash@broadcom.com>
Subject: [PATCH 12/18] bnx2fc: Fix NULL pointer deref during arm_cq.
Date: Thu, 4 Aug 2011 11:47:07 -0700 [thread overview]
Message-ID: <1312483633-479-13-git-send-email-bprakash@broadcom.com> (raw)
In-Reply-To: <1312483633-479-1-git-send-email-bprakash@broadcom.com>
There exists a race condition between CQ doorbell unmap and IO completion path
that arms the CQ which causes a NULL dereference. Protect the ctx_base with
cq_lock to avoid this. Also, wait for the CQ doorbell to be successfully mapped
before arming the CQ.
Also, do not count uncolicited CQ completions for free_sqes.
Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com>
---
drivers/scsi/bnx2fc/bnx2fc_hwi.c | 10 +++++++---
drivers/scsi/bnx2fc/bnx2fc_tgt.c | 19 +++++++++++--------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
index 72cfb14..b241f3d 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
@@ -1009,6 +1009,7 @@ int bnx2fc_process_new_cqes(struct bnx2fc_rport *tgt)
u32 cq_cons;
struct fcoe_cqe *cqe;
u32 num_free_sqes = 0;
+ u32 num_cqes = 0;
u16 wqe;
/*
@@ -1058,10 +1059,11 @@ unlock:
wake_up_process(fps->iothread);
else
bnx2fc_process_cq_compl(tgt, wqe);
+ num_free_sqes++;
}
cqe++;
tgt->cq_cons_idx++;
- num_free_sqes++;
+ num_cqes++;
if (tgt->cq_cons_idx == BNX2FC_CQ_WQES_MAX) {
tgt->cq_cons_idx = 0;
@@ -1070,8 +1072,10 @@ unlock:
1 - tgt->cq_curr_toggle_bit;
}
}
- if (num_free_sqes) {
- bnx2fc_arm_cq(tgt);
+ if (num_cqes) {
+ /* Arm CQ only if doorbell is mapped */
+ if (tgt->ctx_base)
+ bnx2fc_arm_cq(tgt);
atomic_add(num_free_sqes, &tgt->free_sqes);
}
spin_unlock_bh(&tgt->cq_lock);
diff --git a/drivers/scsi/bnx2fc/bnx2fc_tgt.c b/drivers/scsi/bnx2fc/bnx2fc_tgt.c
index 3d28fbe..2f7a7da 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_tgt.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_tgt.c
@@ -133,9 +133,9 @@ retry_ofld:
printk(KERN_ERR PFX "map doorbell failed - no mem\n");
/* upload will take care of cleaning up sess resc */
lport->tt.rport_logoff(rdata);
- }
- /* Arm CQ */
- bnx2fc_arm_cq(tgt);
+ } else
+ /* Arm CQ */
+ bnx2fc_arm_cq(tgt);
return;
ofld_err:
@@ -806,14 +806,14 @@ mem_alloc_failure:
static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba,
struct bnx2fc_rport *tgt)
{
- BNX2FC_TGT_DBG(tgt, "Freeing up session resources\n");
+ void __iomem *ctx_base_ptr;
- if (tgt->ctx_base) {
- iounmap(tgt->ctx_base);
- tgt->ctx_base = NULL;
- }
+ BNX2FC_TGT_DBG(tgt, "Freeing up session resources\n");
spin_lock_bh(&tgt->cq_lock);
+ ctx_base_ptr = tgt->ctx_base;
+ tgt->ctx_base = NULL;
+
/* Free LCQ */
if (tgt->lcq) {
dma_free_coherent(&hba->pcidev->dev, tgt->lcq_mem_size,
@@ -867,4 +867,7 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba,
tgt->sq = NULL;
}
spin_unlock_bh(&tgt->cq_lock);
+
+ if (ctx_base_ptr)
+ iounmap(ctx_base_ptr);
}
--
1.7.0.6
next prev parent reply other threads:[~2011-08-04 18:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-04 18:46 [PATCH 00/18] bnx2fc version 1.0.5 Bhanu Prakash Gollapudi
2011-08-04 18:46 ` [PATCH 01/18] bnx2fc: Reset the max receive frame size Bhanu Prakash Gollapudi
2011-08-04 18:46 ` [PATCH 02/18] bnx2fc: Bug fixes in percpu_thread_create/destroy Bhanu Prakash Gollapudi
2011-08-04 18:46 ` [PATCH 03/18] bnx2fc: Enable bsg_request support for bnx2fc Bhanu Prakash Gollapudi
2011-08-04 18:46 ` [PATCH 04/18] bnx2fc: Remove erroneous kref_get on IO request Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 05/18] bnx2fc: Do not attempt destroying NPIV port twice Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 06/18] bnx2fc: Change function names of bnx2fc_netdev_setup/bnx2fc_netdev_cleanup Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 07/18] bnx2fc: Reorganize cleanup code between interface_cleanup and if_destory Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 08/18] bnx2fc: Handle NETDEV_UNREGISTER for vlan devices Bhanu Prakash Gollapudi
2011-08-18 23:52 ` Bhanu Gollapudi
2011-08-24 20:40 ` Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 09/18] bnx2fc: Clear DESTROY_CMPL flag after firmware destroy Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 10/18] bnx2fc: Do not reuse the fcoe connection id immediately Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 11/18] bnx2fc: IO errors when receiving unsolicited LOGO Bhanu Prakash Gollapudi
2011-08-04 18:47 ` Bhanu Prakash Gollapudi [this message]
2011-08-04 18:47 ` [PATCH 13/18] bnx2fc: code cleanup in bnx2fc_offload_session Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 14/18] bnx2fc: Drop incoming ABTS Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 15/18] fcoe: Move common functions to fcoe_transport library Bhanu Prakash Gollapudi
2011-08-04 23:09 ` Zou, Yi
2011-08-04 18:47 ` [PATCH 16/18] bnx2fc: Obtain WWNN/WWPN from the shared memory Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 17/18] bnx2fc: Prevent creating of NPIV port with duplicate WWN Bhanu Prakash Gollapudi
2011-08-04 18:47 ` [PATCH 18/18] bnx2fc: Bump version to 1.0.5 Bhanu Prakash Gollapudi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1312483633-479-13-git-send-email-bprakash@broadcom.com \
--to=bprakash@broadcom.com \
--cc=JBottomley@parallels.com \
--cc=devel@open-fcoe.org \
--cc=linux-scsi@vger.kernel.org \
--cc=mchan@broadcom.com \
--cc=michaelc@cs.wisc.edu \
--cc=robert.w.love@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox