diff options
| author | Ka-Cheong Poon <[email protected]> | 2020-04-08 03:21:02 -0700 | 
|---|---|---|
| committer | David S. Miller <[email protected]> | 2020-04-09 10:22:00 -0700 | 
| commit | 2fabef4f65b46b261434a27ecdce291b63de8522 (patch) | |
| tree | 5c318bbf58af67e56b085332648cac599973b3fb /net/unix/unix_bpf.c | |
| parent | e228a5d05e9ee25878e9a40de96e7ceb579d4893 (diff) | |
net/rds: Fix MR reference counting problem
In rds_free_mr(), it calls rds_destroy_mr(mr) directly.  But this
defeats the purpose of reference counting and makes MR free handling
impossible.  It means that holding a reference does not guarantee that
it is safe to access some fields.  For example, In
rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
calls mr->r_trans->sync_mr().  But if rds_free_mr() (and
rds_destroy_mr()) is called in between (there is no lock preventing
this to happen), r_trans_private is set to NULL, causing a panic.
Similar issue is in rds_rdma_unuse().
Reported-by: zerons <[email protected]>
Signed-off-by: Ka-Cheong Poon <[email protected]>
Acked-by: Santosh Shilimkar <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'net/unix/unix_bpf.c')
0 files changed, 0 insertions, 0 deletions