projects / linux-drm-fsl-dcu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | compact (merge: 5e99b53 72c0217)
Merge tag 'nfs-rdma-for-4.3-2' of git://git.linux-nfs.org/projects/anna/nfs-rdma
authorTrond Myklebust <trond.myklebust@primarydata.com>
Fri, 2 Oct 2015 19:49:33 +0000 (15:49 -0400)
committerTrond Myklebust <trond.myklebust@primarydata.com>
Fri, 2 Oct 2015 19:49:33 +0000 (15:49 -0400)
NFS: NFSoRDMA bugfix

Fixes a use-after-free bug.

Signed-off-by: Anna Schumaker <Anna.Schumaker@netapp.com>
1  2 
net/sunrpc/xprtrdma/verbs.c patch | diff1 | diff2 | blob | history

diff --combined net/sunrpc/xprtrdma/verbs.c
index eb081ad05e33bb65a89b4afb499177dff4d2de89,611d9d507a856ae1ae640a2a4febf25e60408734..8a477e27bad75f4b9a6c8feeceb745ffe9407c71
--- 1/net/sunrpc/xprtrdma/verbs.c
--- 2/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@@ -611,7 -611,7 +611,7 @@@ rpcrdma_ia_close(struct rpcrdma_ia *ia
  
        /* If the pd is still busy, xprtrdma missed freeing a resource */
        if (ia->ri_pd && !IS_ERR(ia->ri_pd))
 -              WARN_ON(ib_dealloc_pd(ia->ri_pd));
 +              ib_dealloc_pd(ia->ri_pd);
  }
  
  /*
@@@ -755,19 -755,22 +755,22 @@@ rpcrdma_ep_destroy(struct rpcrdma_ep *e
  
        cancel_delayed_work_sync(&ep->rep_connect_worker);
  
-       if (ia->ri_id->qp) {
+       if (ia->ri_id->qp)
                rpcrdma_ep_disconnect(ep, ia);
+       rpcrdma_clean_cq(ep->rep_attr.recv_cq);
+       rpcrdma_clean_cq(ep->rep_attr.send_cq);
+       if (ia->ri_id->qp) {
                rdma_destroy_qp(ia->ri_id);
                ia->ri_id->qp = NULL;
        }
  
-       rpcrdma_clean_cq(ep->rep_attr.recv_cq);
        rc = ib_destroy_cq(ep->rep_attr.recv_cq);
        if (rc)
                dprintk("RPC:       %s: ib_destroy_cq returned %i\n",
                        __func__, rc);
  
-       rpcrdma_clean_cq(ep->rep_attr.send_cq);
        rc = ib_destroy_cq(ep->rep_attr.send_cq);
        if (rc)
                dprintk("RPC:       %s: ib_destroy_cq returned %i\n",
@@@ -1252,7 -1255,7 +1255,7 @@@ rpcrdma_alloc_regbuf(struct rpcrdma_ia 
                goto out_free;
  
        iov->length = size;
 -      iov->lkey = ia->ri_dma_lkey;
 +      iov->lkey = ia->ri_pd->local_dma_lkey;
        rb->rg_size = size;
        rb->rg_owner = NULL;
        return rb;
Freescale DCU DRM driver