aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net
diff options
context:
space:
mode:
authorMichael Chan <mchan@broadcom.com>2010-02-24 14:42:06 +0000
committerDavid S. Miller <davem@davemloft.net>2010-02-26 02:10:13 -0800
commitd02a5e6c2fba8b114c44cf05085fca07180f37f1 (patch)
treee91243a2c2256dec2b9f7ad20273c55cdc137358 /drivers/net
parent66883e90eaa0dd55d395c0f9a0c6da5d50809804 (diff)
downloadkernel_samsung_tuna-d02a5e6c2fba8b114c44cf05085fca07180f37f1.zip
kernel_samsung_tuna-d02a5e6c2fba8b114c44cf05085fca07180f37f1.tar.gz
kernel_samsung_tuna-d02a5e6c2fba8b114c44cf05085fca07180f37f1.tar.bz2
cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down.
Some data structures are freed when the device is down and it will crash if an ISCSI netlink message is received. Add RCU protection to prevent this. In the shutdown path, ulp_ops[CNIC_ULP_L4] is assigned NULL and rcu_synchronized before freeing the data structures. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
-rw-r--r--drivers/net/cnic.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/net/cnic.c b/drivers/net/cnic.c
index 40865aa..4558444 100644
--- a/drivers/net/cnic.c
+++ b/drivers/net/cnic.c
@@ -327,6 +327,12 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
if (l5_cid >= MAX_CM_SK_TBL_SZ)
break;
+ rcu_read_lock();
+ if (!rcu_dereference(cp->ulp_ops[CNIC_ULP_L4])) {
+ rc = -ENODEV;
+ rcu_read_unlock();
+ break;
+ }
csk = &cp->csk_tbl[l5_cid];
csk_hold(csk);
if (cnic_in_use(csk)) {
@@ -341,6 +347,7 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type,
cnic_cm_set_pg(csk);
}
csk_put(csk);
+ rcu_read_unlock();
rc = 0;
}
}