xprtrdma: Fix a NULL dereference in frwr_unmap_sync()

chucklever · Trond Myklebust · commit 9e895cd9649a · 2021-05-01T19:42:22.000-04:00
The normal mechanism that invalidates and unmaps MRs is frwr_unmap_async(). frwr_unmap_sync() is used only when an RPC Reply bearing Write or Reply chunks has been lost (ie, almost never). Coverity found that after commit 9a301ca ("xprtrdma: Move fr_linv_done field to struct rpcrdma_mr"), the while() loop in frwr_unmap_sync() exits only once @mr is NULL, unconditionally causing subsequent dereferences of @mr to Oops. I've tested this fix by creating a client that skips invoking frwr_unmap_async() when RPC Replies complete. That forces all invalidation tasks to fall upon frwr_unmap_sync(). Simple workloads with this fix applied to the adulterated client work as designed. Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> Addresses-Coverity-ID: 1504556 ("Null pointer dereferences") Fixes: 9a301ca ("xprtrdma: Move fr_linv_done field to struct rpcrdma_mr") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
diff --git a/net/sunrpc/xprtrdma/frwr_ops.c b/net/sunrpc/xprtrdma/frwr_ops.c
@@ -530,6 +530,7 @@ void frwr_unmap_sync(struct rpcrdma_xprt *r_xprt, struct rpcrdma_req *req)
 		*prev = last;
 		prev = &last->next;
 	}
+	mr = container_of(last, struct rpcrdma_mr, mr_invwr);
 
 	/* Strong send queue ordering guarantees that when the
 	 * last WR in the chain completes, all WRs in the chain

Original file line number	Diff line number	Diff line change
`@@ -530,6 +530,7 @@ void frwr_unmap_sync(struct rpcrdma_xprt r_xprt, struct rpcrdma_req req)`
`530`	`530`	`*prev = last;`
`531`	`531`	`prev = &last->next;`
`532`	`532`	`}`
	`533`	`+ mr = container_of(last, struct rpcrdma_mr, mr_invwr);`
`533`	`534`
`534`	`535`	`/* Strong send queue ordering guarantees that when the`
`535`	`536`	`* last WR in the chain completes, all WRs in the chain`