summaryrefslogtreecommitdiffstats
path: root/fs/nfs/nfs4xdr.c
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2021-05-01 21:38:02 +0200
committerTrond Myklebust <trond.myklebust@hammerspace.com>2021-05-02 01:42:22 +0200
commit9e895cd9649abe4392c59d14e31b0f5667d082d2 (patch)
tree65806dfb3557a48362d1548ab031ff1498345d32 /fs/nfs/nfs4xdr.c
parentsunrpc: Fix misplaced barrier in call_decode (diff)
downloadlinux-9e895cd9649abe4392c59d14e31b0f5667d082d2.tar.xz
linux-9e895cd9649abe4392c59d14e31b0f5667d082d2.zip
xprtrdma: Fix a NULL dereference in frwr_unmap_sync()
The normal mechanism that invalidates and unmaps MRs is frwr_unmap_async(). frwr_unmap_sync() is used only when an RPC Reply bearing Write or Reply chunks has been lost (ie, almost never). Coverity found that after commit 9a301cafc861 ("xprtrdma: Move fr_linv_done field to struct rpcrdma_mr"), the while() loop in frwr_unmap_sync() exits only once @mr is NULL, unconditionally causing subsequent dereferences of @mr to Oops. I've tested this fix by creating a client that skips invoking frwr_unmap_async() when RPC Replies complete. That forces all invalidation tasks to fall upon frwr_unmap_sync(). Simple workloads with this fix applied to the adulterated client work as designed. Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> Addresses-Coverity-ID: 1504556 ("Null pointer dereferences") Fixes: 9a301cafc861 ("xprtrdma: Move fr_linv_done field to struct rpcrdma_mr") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Diffstat (limited to 'fs/nfs/nfs4xdr.c')
0 files changed, 0 insertions, 0 deletions