• Hariprasad S's avatar
    RDMA/iw_cxgb4: ensure eps don't get freed while the mutex is held · 6e410d8f
    Hariprasad S authored
    In rx_data(), with the ep in FPDU_MODE, refcnt=2, if we get unexpected
    streaming data, we call c4iw_modify_rc_qp() and move the qp from
    RTS -> TERMINATE.  In c4iw_modify_rc_qp(), if rdma_fini() returns
    an error, the ep will be dereferenced (refcnt=1).  Then rx_data()
    calls c4iw_ep_disconnect() which starts the close operation.
    But if send_halfclose() fails in c4iw_ep_disconnect(), we  will call
    release_ep_resources() derefing the ep which reduces the refcnt to 0 and
    and frees the ep. However we still has the ep mutex at that point, so we
    have a touch-after-free bug.  There is a similar issue where
    peer_close() calls c4iw_ep_disconnect().
    
    The solution is to add a reference to the ep in c4iw_ep_disconnect()
    after acquiring  the mutex, and release it after releasing the mutex.
    Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
    Signed-off-by: default avatarHariprasad Shenai <hariprasad@chelsio.com>
    Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    6e410d8f
cm.c 113 KB