> If rs_free() releases the fd before calling rs_remove(), a second > thread in rsocket() may acquire the same fd and store its own rs in > the corresponding index-element. When the first thread then gets > around to calling rs_remove() it ends up removing the rs of the second > thread, and storing a NULL there. > > Several functions still do not check for NULL after retrieving an rs > from the index for an open rsocket. Thus, the second thread would get > a segfault in any of the following functions: rrecv, rrecvfrom, rsend, > rsendto, rsendv, riomap, riounmap, riowrite. > > Fixes: cf7aae3 "rsocket: Index map item is cleaned before it is used > in iomapping cleanup" > > Signed-off-by: Jeff Inman <jti@xxxxxxxx> Acked-by: Sean Hefty <sean.hefty@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
