IB/iser: Fix error flow in iser ep connection establishment

The current error flow code was releasing the IB connection object and
calling iscsi_destroy_endpoint() directly without going through the
reference counting mechanism introduced in commit 39ff05d ("IB/iser:
Enhance disconnection logic for multi-pathing"). This resulted in a
double free of the iscsi endpoint object, which causes a kernel NULL
pointer dereference.  Fix that by plugging into the IB conn reference
counting correctly.

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>

diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c
index db43b3117168f0df7c13532dca71cd5289ef6096..0ab8c9cc3a7893dec0112ecf7e21d4eb13c875dd 100644 (file)
--- a/drivers/infiniband/ulp/iser/iscsi_iser.c
+++ b/drivers/infiniband/ulp/iser/iscsi_iser.c
@@ -573,10 +573,9 @@ iscsi_iser_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
 
        err = iser_connect(ib_conn, NULL, (struct sockaddr_in *)dst_addr,
                           non_blocking);
-       if (err) {
-               iscsi_destroy_endpoint(ep);
+       if (err)
                return ERR_PTR(err);
-       }
+
        return ep;
 }
 

diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c
index 14224ba44fd8551ee199e2f9410d3f3f356dddce..2dddabd8fcf9882fe93f59f9dcbf5faaf862f016 100644 (file)
--- a/drivers/infiniband/ulp/iser/iser_verbs.c
+++ b/drivers/infiniband/ulp/iser/iser_verbs.c
@@ -613,8 +613,9 @@ id_failure:
        ib_conn->cma_id = NULL;
 addr_failure:
        ib_conn->state = ISER_CONN_DOWN;
+       iser_conn_put(ib_conn, 1); /* deref ib conn's cma id */
 connect_failure:
-       iser_conn_release(ib_conn, 1);
+       iser_conn_put(ib_conn, 1); /* deref ib conn deallocate */
        return err;
 }