When unmapping request data, it is unsafe automatically decrement req->nfmr regardless of it's value since IO and reconnect flow may run concurrently resulting in req->nfmr = -1 and falsely call ib_fmr_pool_unmap. Fix the loop condition to to be greater then zero (which explicitely means that FMRs were used on this request) and only increment when needed. This crash is easily reproduceable with SRIOV OR Connect-IB (where FMRs are not supported) Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx> --- drivers/infiniband/ulp/srp/ib_srp.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c index 529b6bc..0e20bfb 100644 --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -766,8 +766,11 @@ static void srp_unmap_data(struct scsi_cmnd *scmnd, return; pfmr = req->fmr_list; - while (req->nfmr--) + + while (req->nfmr > 0) { ib_fmr_pool_unmap(*pfmr++); + req->nfmr--; + } ib_dma_unmap_sg(ibdev, scsi_sglist(scmnd), scsi_sg_count(scmnd), scmnd->sc_data_direction); -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html