cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down.
authorMichael Chan <mchan@broadcom.com>
Wed, 24 Feb 2010 14:42:06 +0000 (14:42 +0000)
committerDavid S. Miller <davem@davemloft.net>
Fri, 26 Feb 2010 10:10:13 +0000 (02:10 -0800)
Some data structures are freed when the device is down and it will
crash if an ISCSI netlink message is received.  Add RCU protection
to prevent this.  In the shutdown path, ulp_ops[CNIC_ULP_L4] is
assigned NULL and rcu_synchronized before freeing the data
structures.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/cnic.c

index 40865aac2afaf496b1902e8c025820d1aa7f9bea..45584442a35cc0cd45686161954f6bfca223707f 100644 (file)
@@ -327,6 +327,12 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
                if (l5_cid >= MAX_CM_SK_TBL_SZ)
                        break;
 
+               rcu_read_lock();
+               if (!rcu_dereference(cp->ulp_ops[CNIC_ULP_L4])) {
+                       rc = -ENODEV;
+                       rcu_read_unlock();
+                       break;
+               }
                csk = &cp->csk_tbl[l5_cid];
                csk_hold(csk);
                if (cnic_in_use(csk)) {
@@ -341,6 +347,7 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
                                cnic_cm_set_pg(csk);
                }
                csk_put(csk);
+               rcu_read_unlock();
                rc = 0;
        }
        }