Now that establishment/teardown sequences can happen in parallel,
we should take into account that connected_handler might race with
connection teardown flow. Thus in order to avoid a NULL dereference
in cma_id->qp->qp_context we destroy the qp after we destroy the
cm_id (and make the dereference safe).
Cc: <stable@xxxxxxxxxxxxxxx> # 3.10+
Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
---
drivers/infiniband/ulp/isert/ib_isert.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
index 662412f..146b748 100644
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -735,18 +735,18 @@ isert_connect_release(struct isert_conn *isert_conn)
if (device && device->use_fastreg)
isert_conn_free_fastreg_pool(isert_conn);
+ isert_free_rx_descriptors(isert_conn);
+ rdma_destroy_id(isert_conn->conn_cm_id);
+
if (isert_conn->conn_qp) {
cq_index = ((struct isert_cq_desc *)
isert_conn->conn_qp->recv_cq->cq_context)->cq_index;
pr_debug("isert_connect_release: cq_index: %d\n", cq_index);
isert_conn->conn_device->cq_active_qps[cq_index]--;
- rdma_destroy_qp(isert_conn->conn_cm_id);
+ ib_destroy_qp(isert_conn->conn_qp);
}
- isert_free_rx_descriptors(isert_conn);
- rdma_destroy_id(isert_conn->conn_cm_id);
-
ib_dereg_mr(isert_conn->conn_mr);
ib_dealloc_pd(isert_conn->conn_pd);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html