d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sdp: Use an mbufq for received control packets.

Browse Source 
This is simpler than the hand-rolled queue, and fixes a use-after-free.

Sponsored by:	EMC / Isilon Storage Division
This commit is contained in:
Mark Johnston 2016-07-29 20:35:04 +00:00
parent 30a71b3c30
commit 2cefa87b0b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=303505
3 changed files with 6 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/ofed/drivers/infiniband/ulp/sdp/sdp.h
View File

@ -403,8 +403,7 @@ struct sdp_sock {
struct sdp_rx_ring rx_ring;
struct sdp_tx_ring tx_ring;
struct rwlock lock;
struct mbuf *rx_ctl_q;
struct mbuf *rx_ctl_tail;
struct mbufq rxctlq; /* received control packets */
int qp_active; /* XXX Flag. */
int max_sge;

1
sys/ofed/drivers/infiniband/ulp/sdp/sdp_main.c
View File

@ -469,6 +469,7 @@ sdp_attach(struct socket *so, int proto, struct thread *td)
ssk->flags = 0;
ssk->qp_active = 0;
ssk->state = TCPS_CLOSED;
mbufq_init(&ssk->rxctlq, INT_MAX);
SDP_LIST_WLOCK();
LIST_INSERT_HEAD(&sdp_list, ssk, list);
sdp_count++;

16
sys/ofed/drivers/infiniband/ulp/sdp/sdp_rx.c
View File

@ -459,14 +459,9 @@ sdp_process_rx_mb(struct sdp_sock *ssk, struct mbuf *mb)
ntohl(rrch->len));
}
#endif
mb->m_nextpkt = NULL;
if (ssk->rx_ctl_tail)
ssk->rx_ctl_tail->m_nextpkt = mb;
else
ssk->rx_ctl_q = mb;
ssk->rx_ctl_tail = mb;
return 0;
if (mbufq_enqueue(&ssk->rxctlq, mb) != 0)
m_freem(mb);
return (0);
}
sdp_prf1(sk, NULL, "queueing %s mb\n", mid2str(h->mid));
@ -611,11 +606,8 @@ sdp_do_posts(struct sdp_sock *ssk)
return;
}
while ((mb = ssk->rx_ctl_q)) {
ssk->rx_ctl_q = mb->m_nextpkt;
mb->m_nextpkt = NULL;
while ((mb = mbufq_dequeue(&ssk->rxctlq)) != NULL)
sdp_process_rx_ctl_mb(ssk, mb);
}
if (ssk->state == TCPS_TIME_WAIT)
return;