summaryrefslogtreecommitdiff
path: root/drivers/scsi/bnx2fc/bnx2fc_hwi.c
diff options
context:
space:
mode:
authorBhanu Prakash Gollapudi <bprakash@broadcom.com>2011-08-05 04:38:46 +0400
committerJames Bottomley <JBottomley@Parallels.com>2011-08-27 18:35:42 +0400
commitb338c785c5c945383046ff39092e3021ea5b1d95 (patch)
tree548bd66957226efdd21e32eefefc222fdc593a69 /drivers/scsi/bnx2fc/bnx2fc_hwi.c
parent81214013130cd24142f6465f7f5a256fed530c17 (diff)
downloadlinux-b338c785c5c945383046ff39092e3021ea5b1d95.tar.xz
[SCSI] bnx2fc: Fix NULL pointer deref during arm_cq.
There exists a race condition between CQ doorbell unmap and IO completion path that arms the CQ which causes a NULL dereference. Protect the ctx_base with cq_lock to avoid this. Also, wait for the CQ doorbell to be successfully mapped before arming the CQ. Also, do not count uncolicited CQ completions for free_sqes. Signed-off-by: Bhanu Prakash Gollapudi <bprakash@broadcom.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi/bnx2fc/bnx2fc_hwi.c')
-rw-r--r--drivers/scsi/bnx2fc/bnx2fc_hwi.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
index 72cfb14acd3a..b241f3d33362 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
@@ -1009,6 +1009,7 @@ int bnx2fc_process_new_cqes(struct bnx2fc_rport *tgt)
u32 cq_cons;
struct fcoe_cqe *cqe;
u32 num_free_sqes = 0;
+ u32 num_cqes = 0;
u16 wqe;
/*
@@ -1058,10 +1059,11 @@ unlock:
wake_up_process(fps->iothread);
else
bnx2fc_process_cq_compl(tgt, wqe);
+ num_free_sqes++;
}
cqe++;
tgt->cq_cons_idx++;
- num_free_sqes++;
+ num_cqes++;
if (tgt->cq_cons_idx == BNX2FC_CQ_WQES_MAX) {
tgt->cq_cons_idx = 0;
@@ -1070,8 +1072,10 @@ unlock:
1 - tgt->cq_curr_toggle_bit;
}
}
- if (num_free_sqes) {
- bnx2fc_arm_cq(tgt);
+ if (num_cqes) {
+ /* Arm CQ only if doorbell is mapped */
+ if (tgt->ctx_base)
+ bnx2fc_arm_cq(tgt);
atomic_add(num_free_sqes, &tgt->free_sqes);
}
spin_unlock_bh(&tgt->cq_lock);