summaryrefslogtreecommitdiffstats
path: root/net/rds/rds.h
diff options
context:
space:
mode:
authorKa-Cheong Poon <ka-cheong.poon@oracle.com>2020-04-08 03:21:02 -0700
committerDavid S. Miller <davem@davemloft.net>2020-04-09 10:22:00 -0700
commit2fabef4f65b46b261434a27ecdce291b63de8522 (patch)
tree5c318bbf58af67e56b085332648cac599973b3fb /net/rds/rds.h
parente228a5d05e9ee25878e9a40de96e7ceb579d4893 (diff)
downloadlinux-2fabef4f65b46b261434a27ecdce291b63de8522.tar.bz2
net/rds: Fix MR reference counting problem
In rds_free_mr(), it calls rds_destroy_mr(mr) directly. But this defeats the purpose of reference counting and makes MR free handling impossible. It means that holding a reference does not guarantee that it is safe to access some fields. For example, In rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then calls mr->r_trans->sync_mr(). But if rds_free_mr() (and rds_destroy_mr()) is called in between (there is no lock preventing this to happen), r_trans_private is set to NULL, causing a panic. Similar issue is in rds_rdma_unuse(). Reported-by: zerons <sironhide0null@gmail.com> Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rds/rds.h')
-rw-r--r--net/rds/rds.h8
1 files changed, 0 insertions, 8 deletions
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 3cda01cfaa56..8e18cd2aec51 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -299,19 +299,11 @@ struct rds_mr {
unsigned int r_invalidate:1;
unsigned int r_write:1;
- /* This is for RDS_MR_DEAD.
- * It would be nice & consistent to make this part of the above
- * bit field here, but we need to use test_and_set_bit.
- */
- unsigned long r_state;
struct rds_sock *r_sock; /* back pointer to the socket that owns us */
struct rds_transport *r_trans;
void *r_trans_private;
};
-/* Flags for mr->r_state */
-#define RDS_MR_DEAD 0
-
static inline rds_rdma_cookie_t rds_rdma_make_cookie(u32 r_key, u32 offset)
{
return r_key | (((u64) offset) << 32);