cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down.

Some data structures are freed when the device is down and it will crash if an ISCSI netlink message is received. Add RCU protection to prevent this. In the shutdown path, ulp_ops[CNIC_ULP_L4] is assigned NULL and rcu_synchronized before freeing the data structures. Signed-off-by: N Michael Chan <mchan@broadcom.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down.
Some data structures are freed when the device is down and it will crash if an ISCSI netlink message is received. Add RCU protection to prevent this. In the shutdown path, ulp_ops[CNIC_ULP_L4] is assigned NULL and rcu_synchronized before freeing the data structures. Signed-off-by: N Michael Chan <mchan@broadcom.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
d02a5e6c · Michael Chan · David S. Miller · 66883e90 · d02a5e6c
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

drivers/net/cnic.c drivers/net/cnic.c +7 -0

未找到文件。
--- a/drivers/net/cnic.c
+++ b/drivers/net/cnic.c
@@ -327,6 +327,12 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
 		if (l5_cid >= MAX_CM_SK_TBL_SZ)
 			break;
+		rcu_read_lock();
+		if (!rcu_dereference(cp->ulp_ops[CNIC_ULP_L4])) {
+			rc = -ENODEV;
+			rcu_read_unlock();
+			break;
+		}
 		csk = &cp->csk_tbl[l5_cid];
 		csk_hold(csk);
 		if (cnic_in_use(csk)) {
@@ -341,6 +347,7 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
 				cnic_cm_set_pg(csk);
 		}
 		csk_put(csk);
+		rcu_read_unlock();
 		rc = 0;
 	}
 	}