On 24.02.2014 15:30, Sagi Grimberg wrote: > When unmapping request data, it is unsafe automatically > decrement req->nfmr regardless of it's value. This may > happen since IO and reconnect flow may run concurrently > resulting in req->nfmr = -1 and falsely call ib_fmr_pool_unmap. Something is still strange here. What about the following: "unsafe to decrement req->nfmr automatically" "its" instead of "it's" "and calling ib_fmr_pool_unmap falsely" > Fix the loop condition to be greater than zero (which > explicitly means that FMRs were used on this request) > and only increment when needed. > > This crash is easily reproduceable with ConnectX VFs OR > Connect-IB (where FMRs are not supported) > > Signed-off-by: Sagi Grimberg <sagig@xxxxxxxxxxxx> > --- > drivers/infiniband/ulp/srp/ib_srp.c | 5 ++++- > 1 files changed, 4 insertions(+), 1 deletions(-) > > diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c > index 529b6bc..0e20bfb 100644 > --- a/drivers/infiniband/ulp/srp/ib_srp.c > +++ b/drivers/infiniband/ulp/srp/ib_srp.c > @@ -766,8 +766,11 @@ static void srp_unmap_data(struct scsi_cmnd *scmnd, > return; > > pfmr = req->fmr_list; > - while (req->nfmr--) > + > + while (req->nfmr > 0) { > ib_fmr_pool_unmap(*pfmr++); > + req->nfmr--; > + } > > ib_dma_unmap_sg(ibdev, scsi_sglist(scmnd), scsi_sg_count(scmnd), > scmnd->sc_data_direction); > -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html