diff options
author | Or Gerlitz <ogerlitz@mellanox.com> | 2012-04-29 17:04:21 +0300 |
---|---|---|
committer | Roland Dreier <roland@purestorage.com> | 2012-05-18 17:05:31 -0700 |
commit | 7d9c0de4ab4ec00b8349d1af0b736a0d473671c2 (patch) | |
tree | ea98903ee548b01debd791d2294a3d9bd4df266a | |
parent | d48b97b403d23f6df0b990cee652bdf9a52337a3 (diff) |
IB/iser: Fix error flow in iser ep connection establishment
The current error flow code was releasing the IB connection object and
calling iscsi_destroy_endpoint() directly without going through the
reference counting mechanism introduced in commit 39ff05d ("IB/iser:
Enhance disconnection logic for multi-pathing"). This resulted in a
double free of the iscsi endpoint object, which causes a kernel NULL
pointer dereference. Fix that by plugging into the IB conn reference
counting correctly.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
-rw-r--r-- | drivers/infiniband/ulp/iser/iscsi_iser.c | 5 | ||||
-rw-r--r-- | drivers/infiniband/ulp/iser/iser_verbs.c | 3 |
2 files changed, 4 insertions, 4 deletions
diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c index db43b3117168..0ab8c9cc3a78 100644 --- a/drivers/infiniband/ulp/iser/iscsi_iser.c +++ b/drivers/infiniband/ulp/iser/iscsi_iser.c @@ -573,10 +573,9 @@ iscsi_iser_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr, non_blocking); - if (err) { - iscsi_destroy_endpoint(ep); + if (err) return ERR_PTR(err); - } + return ep; } diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c index 14224ba44fd8..2dddabd8fcf9 100644 --- a/drivers/infiniband/ulp/iser/iser_verbs.c +++ b/drivers/infiniband/ulp/iser/iser_verbs.c @@ -613,8 +613,9 @@ id_failure: ib_conn->cma_id = NULL; addr_failure: ib_conn->state = ISER_CONN_DOWN; + iser_conn_put(ib_conn, 1); /* deref ib conn's cma id */ connect_failure: - iser_conn_release(ib_conn, 1); + iser_conn_put(ib_conn, 1); /* deref ib conn deallocate */ return err; } |