From b338c785c5c945383046ff39092e3021ea5b1d95 Mon Sep 17 00:00:00 2001 From: Bhanu Prakash Gollapudi Date: Thu, 4 Aug 2011 17:38:46 -0700 Subject: [SCSI] bnx2fc: Fix NULL pointer deref during arm_cq. There exists a race condition between CQ doorbell unmap and IO completion path that arms the CQ which causes a NULL dereference. Protect the ctx_base with cq_lock to avoid this. Also, wait for the CQ doorbell to be successfully mapped before arming the CQ. Also, do not count uncolicited CQ completions for free_sqes. Signed-off-by: Bhanu Prakash Gollapudi Signed-off-by: James Bottomley --- drivers/scsi/bnx2fc/bnx2fc_hwi.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'drivers/scsi/bnx2fc/bnx2fc_hwi.c') diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c index 72cfb14acd3a..b241f3d33362 100644 --- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c +++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c @@ -1009,6 +1009,7 @@ int bnx2fc_process_new_cqes(struct bnx2fc_rport *tgt) u32 cq_cons; struct fcoe_cqe *cqe; u32 num_free_sqes = 0; + u32 num_cqes = 0; u16 wqe; /* @@ -1058,10 +1059,11 @@ unlock: wake_up_process(fps->iothread); else bnx2fc_process_cq_compl(tgt, wqe); + num_free_sqes++; } cqe++; tgt->cq_cons_idx++; - num_free_sqes++; + num_cqes++; if (tgt->cq_cons_idx == BNX2FC_CQ_WQES_MAX) { tgt->cq_cons_idx = 0; @@ -1070,8 +1072,10 @@ unlock: 1 - tgt->cq_curr_toggle_bit; } } - if (num_free_sqes) { - bnx2fc_arm_cq(tgt); + if (num_cqes) { + /* Arm CQ only if doorbell is mapped */ + if (tgt->ctx_base) + bnx2fc_arm_cq(tgt); atomic_add(num_free_sqes, &tgt->free_sqes); } spin_unlock_bh(&tgt->cq_lock); -- cgit