From b8f22c56fea1f2526e605fdd11a3f08768441b2d Mon Sep 17 00:00:00 2001 From: Alexey Marchuk Date: Fri, 13 Dec 2019 19:24:20 +0300 Subject: [PATCH] rdma: Fix incoming_queue cleanup when RDMA qpair is destroyed RDMA qpair might be destroyed by defunct timer, so it can have active recv elements in incoming_queue. This queue is cleaned incorrectly, so recv element for the destroyed qpair still may be presented in the queue and be processed later. That leads to undefined behaviour. Fixes #1086 Signed-off-by: Alexey Marchuk Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/477957 (master) Community-CI: Broadcom SPDK FC-NVMe CI Community-CI: SPDK CI Jenkins (cherry picked from commit 4af2b9bfb976de395f1c2526e9a89b72a6852401) Change-Id: Ieae186b2d2dce4ec88ab886b26165f6ef98e8d05 Signed-off-by: Tomasz Zawadzki Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/478357 Tested-by: SPDK CI Jenkins Reviewed-by: Jim Harris Reviewed-by: Shuhei Matsumoto Reviewed-by: Alexey Marchuk --- lib/nvmf/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nvmf/rdma.c b/lib/nvmf/rdma.c index c76b9e577..d701ae8de 100644 --- a/lib/nvmf/rdma.c +++ b/lib/nvmf/rdma.c @@ -949,7 +949,7 @@ spdk_nvmf_rdma_qpair_destroy(struct spdk_nvmf_rdma_qpair *rqpair) /* Drop all received but unprocessed commands for this queue and return them to SRQ */ STAILQ_FOREACH_SAFE(rdma_recv, &rqpair->resources->incoming_queue, link, recv_tmp) { if (rqpair == rdma_recv->qpair) { - STAILQ_REMOVE_HEAD(&rqpair->resources->incoming_queue, link); + STAILQ_REMOVE(&rqpair->resources->incoming_queue, rdma_recv, spdk_nvmf_rdma_recv, link); rc = ibv_post_srq_recv(rqpair->srq, &rdma_recv->wr, &bad_recv_wr); if (rc) { SPDK_ERRLOG("Unable to re-post rx descriptor\n");