From: Stanislaw Gruszka <sgruszka@redhat.com> Date: Thu, 3 Jun 2010 09:19:08 -0400 Subject: [net] cnic: fix panic when nl msg rcvd when device down Message-id: <20100603111908.2f3187ff@dhcp-lab-109.englab.brq.redhat.com> Patchwork-id: 25958 O-Subject: [RHEL5 PATCH] cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down Bugzilla: 595862 RH-Acked-by: David S. Miller <davem@redhat.com> BZ#595862 Description (from upstream): Some data structures are freed when the device is down and it will crash if an ISCSI netlink message is received. Add RCU protection to prevent this. In the shutdown path, ulp_ops[CNIC_ULP_L4] is assigned NULL and rcu_synchronized before freeing the data structures. Upstream: commit d02a5e6c2fba8b114c44cf05085fca07180f37f1 Author: Michael Chan <mchan@broadcom.com> Date: Wed Feb 24 14:42:06 2010 +0000 cnic: Fix panic in cnic_iscsi_nl_msg_recv() when device is down. Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=2484169 Testing: I test by load/unload cnic module. Test kernel was provided to broadcom. Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/net/cnic.c b/drivers/net/cnic.c index 2dd904d..f3881ce 100644 --- a/drivers/net/cnic.c +++ b/drivers/net/cnic.c @@ -326,6 +326,12 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type, if (l5_cid >= MAX_CM_SK_TBL_SZ) break; + rcu_read_lock(); + if (!rcu_dereference(cp->ulp_ops[CNIC_ULP_L4])) { + rc = -ENODEV; + rcu_read_unlock(); + break; + } csk = &cp->csk_tbl[l5_cid]; csk_hold(csk); if (cnic_in_use(csk)) { @@ -340,6 +346,7 @@ static int cnic_iscsi_nl_msg_recv(struct cnic_dev *dev, u32 msg_type, cnic_cm_set_pg(csk); } csk_put(csk); + rcu_read_unlock(); rc = 0; break; }