From patchwork Mon Feb 24 14:30:16 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sagi Grimberg X-Patchwork-Id: 3709541 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D5997BF13A for ; Mon, 24 Feb 2014 14:30:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0BD122015A for ; Mon, 24 Feb 2014 14:30:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5FA8C20160 for ; Mon, 24 Feb 2014 14:30:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752880AbaBXOa3 (ORCPT ); Mon, 24 Feb 2014 09:30:29 -0500 Received: from mailp.voltaire.com ([193.47.165.129]:37672 "EHLO mellanox.co.il" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1752516AbaBXOaZ (ORCPT ); Mon, 24 Feb 2014 09:30:25 -0500 Received: from Internal Mail-Server by MTLPINE1 (envelope-from sagig@mellanox.com) with SMTP; 24 Feb 2014 16:30:20 +0200 Received: from r-vnc02.mtr.labs.mlnx (r-vnc02.mtr.labs.mlnx [172.30.0.127]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id s1OEUKkr028258; Mon, 24 Feb 2014 16:30:20 +0200 Received: from r-vnc02.mtr.labs.mlnx (r-vnc02 [127.0.0.1]) by r-vnc02.mtr.labs.mlnx (8.14.4/8.14.4) with ESMTP id s1OEUKLQ030673; Mon, 24 Feb 2014 16:30:20 +0200 Received: (from sagig@localhost) by r-vnc02.mtr.labs.mlnx (8.14.4/8.14.4/Submit) id s1OEUKuG030672; Mon, 24 Feb 2014 16:30:20 +0200 From: Sagi Grimberg To: bvanassche@acm.org Cc: roland@kernel.org, oren@mellanox.com, linux-rdma@vger.kernel.org Subject: [PATCH v1 1/3] IB/srp: Fix crash when unmapping data loop Date: Mon, 24 Feb 2014 16:30:16 +0200 Message-Id: <1393252218-30638-2-git-send-email-sagig@mellanox.com> X-Mailer: git-send-email 1.7.8.2 In-Reply-To: <1393252218-30638-1-git-send-email-sagig@mellanox.com> References: <1393252218-30638-1-git-send-email-sagig@mellanox.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When unmapping request data, it is unsafe automatically decrement req->nfmr regardless of it's value. This may happen since IO and reconnect flow may run concurrently resulting in req->nfmr = -1 and falsely call ib_fmr_pool_unmap. Fix the loop condition to be greater than zero (which explicitly means that FMRs were used on this request) and only increment when needed. This crash is easily reproduceable with ConnectX VFs OR Connect-IB (where FMRs are not supported) Signed-off-by: Sagi Grimberg --- drivers/infiniband/ulp/srp/ib_srp.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c index 529b6bc..0e20bfb 100644 --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -766,8 +766,11 @@ static void srp_unmap_data(struct scsi_cmnd *scmnd, return; pfmr = req->fmr_list; - while (req->nfmr--) + + while (req->nfmr > 0) { ib_fmr_pool_unmap(*pfmr++); + req->nfmr--; + } ib_dma_unmap_sg(ibdev, scsi_sglist(scmnd), scsi_sg_count(scmnd), scmnd->sc_data_direction);