When unmapping request data, it is unsafe automatically decrement req->nfmr regardless of it's value. This may happen since IO and reconnect flow may run concurrently resulting in req->nfmr = -1 and falsely call ib_fmr_pool_unmap.
Fix the loop condition to be greater than zero (which explicitly means that FMRs were used on this request) and only increment when needed. This crash is easily reproduceable with ConnectX VFs OR Connect-IB (where FMRs are not supported) Signed-off-by: Sagi Grimberg <[email protected]> --- drivers/infiniband/ulp/srp/ib_srp.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c index 529b6bc..0e20bfb 100644 --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -766,8 +766,11 @@ static void srp_unmap_data(struct scsi_cmnd *scmnd, return; pfmr = req->fmr_list; - while (req->nfmr--) + + while (req->nfmr > 0) { ib_fmr_pool_unmap(*pfmr++); + req->nfmr--; + } ib_dma_unmap_sg(ibdev, scsi_sglist(scmnd), scsi_sg_count(scmnd), scmnd->sc_data_direction); -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
