net/rds: Fix MR reference counting problem
In rds_free_mr(), it calls rds_destroy_mr(mr) directly. But this defeats the purpose of reference counting and makes MR free handling impossible. It means that holding a reference does not guarantee that it is safe to access some fields. For example, In rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then calls mr->r_trans->sync_mr(). But if rds_free_mr() (and rds_destroy_mr()) is called in between (there is no lock preventing this to happen), r_trans_private is set to NULL, causing a panic. Similar issue is in rds_rdma_unuse(). Reported-by: zerons <sironhide0null@gmail.com> Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Ka-Cheong Poon
committed by
David S. Miller
David S. Miller
parent
e228a5d05e
commit
2fabef4f65
@@ -299,19 +299,11 @@ struct rds_mr {
|
||||
unsigned int r_invalidate:1;
|
||||
unsigned int r_write:1;
|
||||
|
||||
/* This is for RDS_MR_DEAD.
|
||||
* It would be nice & consistent to make this part of the above
|
||||
* bit field here, but we need to use test_and_set_bit.
|
||||
*/
|
||||
unsigned long r_state;
|
||||
struct rds_sock *r_sock; /* back pointer to the socket that owns us */
|
||||
struct rds_transport *r_trans;
|
||||
void *r_trans_private;
|
||||
};
|
||||
|
||||
/* Flags for mr->r_state */
|
||||
#define RDS_MR_DEAD 0
|
||||
|
||||
static inline rds_rdma_cookie_t rds_rdma_make_cookie(u32 r_key, u32 offset)
|
||||
{
|
||||
return r_key | (((u64) offset) << 32);
|
||||
|
||||
Reference in New Issue
Block a user