RDMA/iwcm: Reject connect requests if cmid is not in LISTEN state

When destroying a listening cmid, the iwcm first marks the state of
the cmid as DESTROYING, then releases the lock and calls into the
iWARP provider to destroy the endpoint.  Since the cmid is not locked,
its possible for the iWARP provider to pass a connection request event
to the iwcm, which will be silently dropped by the iwcm.  This causes
the iWARP provider to never free up the resources from this connection
because the assumption is the iwcm will accept or reject this connection.

The solution is to reject these connection requests.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index 1a696f76b61627b77c2653e7c5275ca19b2bb628..0bb99bb38809f12e7a1c2b7559f77e9a6744c9d0 100644 (file)
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -624,17 +624,6 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
         */
        BUG_ON(iw_event->status);
 
-       /*
-        * We could be destroying the listening id. If so, ignore this
-        * upcall.
-        */
-       spin_lock_irqsave(&listen_id_priv->lock, flags);
-       if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
-               spin_unlock_irqrestore(&listen_id_priv->lock, flags);
-               goto out;
-       }
-       spin_unlock_irqrestore(&listen_id_priv->lock, flags);
-
        cm_id = iw_create_cm_id(listen_id_priv->id.device,
                                listen_id_priv->id.cm_handler,
                                listen_id_priv->id.context);
@@ -649,6 +638,19 @@ static void cm_conn_req_handler(struct iwcm_id_private *listen_id_priv,
        cm_id_priv = container_of(cm_id, struct iwcm_id_private, id);
        cm_id_priv->state = IW_CM_STATE_CONN_RECV;
 
+       /*
+        * We could be destroying the listening id. If so, ignore this
+        * upcall.
+        */
+       spin_lock_irqsave(&listen_id_priv->lock, flags);
+       if (listen_id_priv->state != IW_CM_STATE_LISTEN) {
+               spin_unlock_irqrestore(&listen_id_priv->lock, flags);
+               iw_cm_reject(cm_id, NULL, 0);
+               iw_destroy_cm_id(cm_id);
+               goto out;
+       }
+       spin_unlock_irqrestore(&listen_id_priv->lock, flags);
+
        ret = alloc_work_entries(cm_id_priv, 3);
        if (ret) {
                iw_cm_reject(cm_id, NULL, 0);