If rs_free() releases the fd before calling rs_remove(), a second
thread in rsocket() may acquire the same fd and store its own rs in
the corresponding index-element. When the first thread then gets
around to calling rs_remove() it ends up removing the rs of the second
thread, and storing a NULL there.
Several functions still do not check for NULL after retrieving an rs
from the index for an open rsocket. Thus, the second thread would get
a segfault in any of the following functions: rrecv, rrecvfrom, rsend,
rsendto, rsendv, riomap, riounmap, riowrite.
Fixes: cf7aae3 "rsocket: Index map item is cleaned before it is used in iomapping cleanup"
Signed-off-by: Jeff Inman <jti@xxxxxxxx>
---
librdmacm/rsocket.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/librdmacm/rsocket.c b/librdmacm/rsocket.c
index f28529c..77a6df4 100644
--- a/librdmacm/rsocket.c
+++ b/librdmacm/rsocket.c
@@ -1012,6 +1012,9 @@ static void rs_free(struct rsocket *rs)
free(rs->target_buffer_list);
}
+ if (rs->index >= 0)
+ rs_remove(rs);
+
if (rs->cm_id) {
rs_free_iomappings(rs);
if (rs->cm_id->qp) {
@@ -1021,9 +1024,6 @@ static void rs_free(struct rsocket *rs)
rdma_destroy_id(rs->cm_id);
}
- if (rs->index >= 0)
- rs_remove(rs);
-
fastlock_destroy(&rs->map_lock);
fastlock_destroy(&rs->cq_wait_lock);
fastlock_destroy(&rs->cq_lock);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
