提交 30c95c2d 编写于 作者: S Steve Wise 提交者: Roland Dreier

RDMA/cxgb4: Don't change QP state outside EP lock

Concurrent ingress CLOSE and ULP ABORT operations causes a crash due
to a race condition where the close path releases the EP lock and then
tries to move the QP state to CLOSED.  This must be done inside the EP
lock to avoid the race.
Signed-off-by: NSteve Wise <swise@opengridcomputing.com>
Signed-off-by: NRoland Dreier <roland@purestorage.com>
上级 693d92a1
...@@ -1466,7 +1466,7 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb) ...@@ -1466,7 +1466,7 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb)
struct c4iw_qp_attributes attrs; struct c4iw_qp_attributes attrs;
int disconnect = 1; int disconnect = 1;
int release = 0; int release = 0;
int closing = 0; int abort = 0;
struct tid_info *t = dev->rdev.lldi.tids; struct tid_info *t = dev->rdev.lldi.tids;
unsigned int tid = GET_TID(hdr); unsigned int tid = GET_TID(hdr);
...@@ -1507,8 +1507,11 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb) ...@@ -1507,8 +1507,11 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb)
case FPDU_MODE: case FPDU_MODE:
start_ep_timer(ep); start_ep_timer(ep);
__state_set(&ep->com, CLOSING); __state_set(&ep->com, CLOSING);
closing = 1; attrs.next_state = C4IW_QP_STATE_CLOSING;
abort = c4iw_modify_qp(ep->com.qp->rhp, ep->com.qp,
C4IW_QP_ATTR_NEXT_STATE, &attrs, 1);
peer_close_upcall(ep); peer_close_upcall(ep);
disconnect = 1;
break; break;
case ABORTING: case ABORTING:
disconnect = 0; disconnect = 0;
...@@ -1536,11 +1539,6 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb) ...@@ -1536,11 +1539,6 @@ static int peer_close(struct c4iw_dev *dev, struct sk_buff *skb)
BUG_ON(1); BUG_ON(1);
} }
mutex_unlock(&ep->com.mutex); mutex_unlock(&ep->com.mutex);
if (closing) {
attrs.next_state = C4IW_QP_STATE_CLOSING;
c4iw_modify_qp(ep->com.qp->rhp, ep->com.qp,
C4IW_QP_ATTR_NEXT_STATE, &attrs, 1);
}
if (disconnect) if (disconnect)
c4iw_ep_disconnect(ep, 0, GFP_KERNEL); c4iw_ep_disconnect(ep, 0, GFP_KERNEL);
if (release) if (release)
...@@ -1710,14 +1708,14 @@ static int terminate(struct c4iw_dev *dev, struct sk_buff *skb) ...@@ -1710,14 +1708,14 @@ static int terminate(struct c4iw_dev *dev, struct sk_buff *skb)
ep = lookup_tid(t, tid); ep = lookup_tid(t, tid);
BUG_ON(!ep); BUG_ON(!ep);
if (ep->com.qp) { if (ep && ep->com.qp) {
printk(KERN_WARNING MOD "TERM received tid %u qpid %u\n", tid, printk(KERN_WARNING MOD "TERM received tid %u qpid %u\n", tid,
ep->com.qp->wq.sq.qid); ep->com.qp->wq.sq.qid);
attrs.next_state = C4IW_QP_STATE_TERMINATE; attrs.next_state = C4IW_QP_STATE_TERMINATE;
c4iw_modify_qp(ep->com.qp->rhp, ep->com.qp, c4iw_modify_qp(ep->com.qp->rhp, ep->com.qp,
C4IW_QP_ATTR_NEXT_STATE, &attrs, 1); C4IW_QP_ATTR_NEXT_STATE, &attrs, 1);
} else } else
printk(KERN_WARNING MOD "TERM received tid %u no qp\n", tid); printk(KERN_WARNING MOD "TERM received tid %u no ep/qp\n", tid);
return 0; return 0;
} }
......
...@@ -161,8 +161,8 @@ static inline int c4iw_wait_for_reply(struct c4iw_rdev *rdev, ...@@ -161,8 +161,8 @@ static inline int c4iw_wait_for_reply(struct c4iw_rdev *rdev,
} }
} while (!wr_waitp->done); } while (!wr_waitp->done);
if (wr_waitp->ret) if (wr_waitp->ret)
printk(KERN_WARNING MOD "%s: FW reply %d tid %u qpid %u\n", PDBG("%s: FW reply %d tid %u qpid %u\n",
pci_name(rdev->lldi.pdev), wr_waitp->ret, hwtid, qpid); pci_name(rdev->lldi.pdev), wr_waitp->ret, hwtid, qpid);
return wr_waitp->ret; return wr_waitp->ret;
} }
......
...@@ -1210,7 +1210,6 @@ int c4iw_modify_qp(struct c4iw_dev *rhp, struct c4iw_qp *qhp, ...@@ -1210,7 +1210,6 @@ int c4iw_modify_qp(struct c4iw_dev *rhp, struct c4iw_qp *qhp,
if (ret) { if (ret) {
if (internal) if (internal)
c4iw_get_ep(&qhp->ep->com); c4iw_get_ep(&qhp->ep->com);
disconnect = abort = 1;
goto err; goto err;
} }
break; break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册