]>
Commit | Line | Data |
---|---|---|
6a930a95 BS |
1 | From 251b8184b1bd4e17656d72ba9cffcba733092064 Mon Sep 17 00:00:00 2001 |
2 | From: Robert Love <robert.w.love@intel.com> | |
3 | Date: Mon, 2 Feb 2009 10:13:06 -0800 | |
4 | Subject: [PATCH] libfc: check for err when recv and state is incorrect | |
5 | References: bnc#473602 | |
6 | ||
7 | If we've just created an interface and the an rport is | |
8 | logging in we may have a request on the wire (say PRLI). | |
9 | If we destroy the interface, we'll go through each rport | |
10 | on the disc->rports list and set each rport's state to NONE. | |
11 | Then the lport will reset the EM. The EM reset will send a | |
12 | CLOSED event to the prli_resp() handler which will notice | |
13 | that the state != PRLI. In this case it frees the frame | |
14 | pointer, decrements the refcount and unlocks the rport. | |
15 | ||
16 | The problem is that there isn't a frame in this case. It's | |
17 | just a pointer with an embedded error code. The free causes | |
18 | an Oops. | |
19 | ||
20 | This patch moves the error checking to be before the state | |
21 | checking. | |
22 | ||
23 | Signed-off-by: Robert Love <robert.w.love@intel.com> | |
24 | Signed-off-by: Hannes Reinecke <hare@suse.de> | |
25 | ||
26 | --- | |
27 | drivers/scsi/libfc/fc_lport.c | 50 +++++++++++++++++++++--------------------- | |
28 | drivers/scsi/libfc/fc_rport.c | 30 ++++++++++++------------- | |
29 | 2 files changed, 40 insertions(+), 40 deletions(-) | |
30 | ||
31 | --- a/drivers/scsi/libfc/fc_lport.c | |
32 | +++ b/drivers/scsi/libfc/fc_lport.c | |
33 | @@ -1031,17 +1031,17 @@ static void fc_lport_rft_id_resp(struct | |
34 | ||
35 | FC_DEBUG_LPORT("Received a RFT_ID response\n"); | |
36 | ||
37 | + if (IS_ERR(fp)) { | |
38 | + fc_lport_error(lport, fp); | |
39 | + goto err; | |
40 | + } | |
41 | + | |
42 | if (lport->state != LPORT_ST_RFT_ID) { | |
43 | FC_DBG("Received a RFT_ID response, but in state %s\n", | |
44 | fc_lport_state(lport)); | |
45 | goto out; | |
46 | } | |
47 | ||
48 | - if (IS_ERR(fp)) { | |
49 | - fc_lport_error(lport, fp); | |
50 | - goto err; | |
51 | - } | |
52 | - | |
53 | fh = fc_frame_header_get(fp); | |
54 | ct = fc_frame_payload_get(fp, sizeof(*ct)); | |
55 | ||
56 | @@ -1083,17 +1083,17 @@ static void fc_lport_rpn_id_resp(struct | |
57 | ||
58 | FC_DEBUG_LPORT("Received a RPN_ID response\n"); | |
59 | ||
60 | + if (IS_ERR(fp)) { | |
61 | + fc_lport_error(lport, fp); | |
62 | + goto err; | |
63 | + } | |
64 | + | |
65 | if (lport->state != LPORT_ST_RPN_ID) { | |
66 | FC_DBG("Received a RPN_ID response, but in state %s\n", | |
67 | fc_lport_state(lport)); | |
68 | goto out; | |
69 | } | |
70 | ||
71 | - if (IS_ERR(fp)) { | |
72 | - fc_lport_error(lport, fp); | |
73 | - goto err; | |
74 | - } | |
75 | - | |
76 | fh = fc_frame_header_get(fp); | |
77 | ct = fc_frame_payload_get(fp, sizeof(*ct)); | |
78 | if (fh && ct && fh->fh_type == FC_TYPE_CT && | |
79 | @@ -1133,17 +1133,17 @@ static void fc_lport_scr_resp(struct fc_ | |
80 | ||
81 | FC_DEBUG_LPORT("Received a SCR response\n"); | |
82 | ||
83 | + if (IS_ERR(fp)) { | |
84 | + fc_lport_error(lport, fp); | |
85 | + goto err; | |
86 | + } | |
87 | + | |
88 | if (lport->state != LPORT_ST_SCR) { | |
89 | FC_DBG("Received a SCR response, but in state %s\n", | |
90 | fc_lport_state(lport)); | |
91 | goto out; | |
92 | } | |
93 | ||
94 | - if (IS_ERR(fp)) { | |
95 | - fc_lport_error(lport, fp); | |
96 | - goto err; | |
97 | - } | |
98 | - | |
99 | op = fc_frame_payload_op(fp); | |
100 | if (op == ELS_LS_ACC) | |
101 | fc_lport_enter_ready(lport); | |
102 | @@ -1359,17 +1359,17 @@ static void fc_lport_logo_resp(struct fc | |
103 | ||
104 | FC_DEBUG_LPORT("Received a LOGO response\n"); | |
105 | ||
106 | + if (IS_ERR(fp)) { | |
107 | + fc_lport_error(lport, fp); | |
108 | + goto err; | |
109 | + } | |
110 | + | |
111 | if (lport->state != LPORT_ST_LOGO) { | |
112 | FC_DBG("Received a LOGO response, but in state %s\n", | |
113 | fc_lport_state(lport)); | |
114 | goto out; | |
115 | } | |
116 | ||
117 | - if (IS_ERR(fp)) { | |
118 | - fc_lport_error(lport, fp); | |
119 | - goto err; | |
120 | - } | |
121 | - | |
122 | op = fc_frame_payload_op(fp); | |
123 | if (op == ELS_LS_ACC) | |
124 | fc_lport_enter_reset(lport); | |
125 | @@ -1443,17 +1443,17 @@ static void fc_lport_flogi_resp(struct f | |
126 | ||
127 | FC_DEBUG_LPORT("Received a FLOGI response\n"); | |
128 | ||
129 | + if (IS_ERR(fp)) { | |
130 | + fc_lport_error(lport, fp); | |
131 | + goto err; | |
132 | + } | |
133 | + | |
134 | if (lport->state != LPORT_ST_FLOGI) { | |
135 | FC_DBG("Received a FLOGI response, but in state %s\n", | |
136 | fc_lport_state(lport)); | |
137 | goto out; | |
138 | } | |
139 | ||
140 | - if (IS_ERR(fp)) { | |
141 | - fc_lport_error(lport, fp); | |
142 | - goto err; | |
143 | - } | |
144 | - | |
145 | fh = fc_frame_header_get(fp); | |
146 | did = ntoh24(fh->fh_d_id); | |
147 | if (fc_frame_payload_op(fp) == ELS_LS_ACC && did != 0) { | |
148 | --- a/drivers/scsi/libfc/fc_rport.c | |
149 | +++ b/drivers/scsi/libfc/fc_rport.c | |
150 | @@ -505,17 +505,17 @@ static void fc_rport_plogi_resp(struct f | |
151 | FC_DEBUG_RPORT("Received a PLOGI response from port (%6x)\n", | |
152 | rport->port_id); | |
153 | ||
154 | + if (IS_ERR(fp)) { | |
155 | + fc_rport_error_retry(rport, fp); | |
156 | + goto err; | |
157 | + } | |
158 | + | |
159 | if (rdata->rp_state != RPORT_ST_PLOGI) { | |
160 | FC_DBG("Received a PLOGI response, but in state %s\n", | |
161 | fc_rport_state(rport)); | |
162 | goto out; | |
163 | } | |
164 | ||
165 | - if (IS_ERR(fp)) { | |
166 | - fc_rport_error_retry(rport, fp); | |
167 | - goto err; | |
168 | - } | |
169 | - | |
170 | op = fc_frame_payload_op(fp); | |
171 | if (op == ELS_LS_ACC && | |
172 | (plp = fc_frame_payload_get(fp, sizeof(*plp))) != NULL) { | |
173 | @@ -614,17 +614,17 @@ static void fc_rport_prli_resp(struct fc | |
174 | FC_DEBUG_RPORT("Received a PRLI response from port (%6x)\n", | |
175 | rport->port_id); | |
176 | ||
177 | + if (IS_ERR(fp)) { | |
178 | + fc_rport_error_retry(rport, fp); | |
179 | + goto err; | |
180 | + } | |
181 | + | |
182 | if (rdata->rp_state != RPORT_ST_PRLI) { | |
183 | FC_DBG("Received a PRLI response, but in state %s\n", | |
184 | fc_rport_state(rport)); | |
185 | goto out; | |
186 | } | |
187 | ||
188 | - if (IS_ERR(fp)) { | |
189 | - fc_rport_error_retry(rport, fp); | |
190 | - goto err; | |
191 | - } | |
192 | - | |
193 | op = fc_frame_payload_op(fp); | |
194 | if (op == ELS_LS_ACC) { | |
195 | pp = fc_frame_payload_get(fp, sizeof(*pp)); | |
196 | @@ -764,17 +764,17 @@ static void fc_rport_rtv_resp(struct fc_ | |
197 | FC_DEBUG_RPORT("Received a RTV response from port (%6x)\n", | |
198 | rport->port_id); | |
199 | ||
200 | + if (IS_ERR(fp)) { | |
201 | + fc_rport_error(rport, fp); | |
202 | + goto err; | |
203 | + } | |
204 | + | |
205 | if (rdata->rp_state != RPORT_ST_RTV) { | |
206 | FC_DBG("Received a RTV response, but in state %s\n", | |
207 | fc_rport_state(rport)); | |
208 | goto out; | |
209 | } | |
210 | ||
211 | - if (IS_ERR(fp)) { | |
212 | - fc_rport_error(rport, fp); | |
213 | - goto err; | |
214 | - } | |
215 | - | |
216 | op = fc_frame_payload_op(fp); | |
217 | if (op == ELS_LS_ACC) { | |
218 | struct fc_els_rtv_acc *rtv; |