Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7d9c0de4 authored by Or Gerlitz's avatar Or Gerlitz Committed by Roland Dreier
Browse files

IB/iser: Fix error flow in iser ep connection establishment 



The current error flow code was releasing the IB connection object and
calling iscsi_destroy_endpoint() directly without going through the
reference counting mechanism introduced in commit 39ff05db ("IB/iser:
Enhance disconnection logic for multi-pathing"). This resulted in a
double free of the iscsi endpoint object, which causes a kernel NULL
pointer dereference.  Fix that by plugging into the IB conn reference
counting correctly.

Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent d48b97b4

drivers/infiniband/ulp/iser/iscsi_iser.c

+2 −3
Original line number Diff line number Diff line
@@ -573,10 +573,9 @@ iscsi_iser_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, 


	err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr,

			   non_blocking);

	if (err) {

		iscsi_destroy_endpoint(ep);

	if (err)

		return ERR_PTR(err);

	}



	return ep;

}

drivers/infiniband/ulp/iser/iser_verbs.c

+2 −1
Original line number Diff line number Diff line
@@ -613,8 +613,9 @@ id_failure: 
	ib_conn->cma_id = NULL;

addr_failure:

	ib_conn->state = ISER_CONN_DOWN;

	iser_conn_put(ib_conn, 1); /* deref ib conn's cma id */

connect_failure:

	iser_conn_release(ib_conn, 1);

	iser_conn_put(ib_conn, 1); /* deref ib conn deallocate */

	return err;

}