xprtrdma: disconnect and flush cqs before freeing buffers Otherwise a FRMR completion can cause a touch-after-free crash. In xprt_rdma_destroy(), call rpcrdma_buffer_destroy() only after calling rpcrdma_ep_destroy(). In rpcrdma_ep_destroy(), disconnect the cm_id first which should flush the qp, then drain the cqs, then destroy the qp, and finally destroy the cqs. Signed-off-by: Steve Wise <swise@opengridcomputing.com> Tested-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>

commit: 72c021738252dde5849d575a650239d6404930ee [log] [tgz]
author: Steve Wise <swise@opengridcomputing.com> Mon Sep 21 12:24:23 2015 -0500
committer: Anna Schumaker <Anna.Schumaker@Netapp.com> Mon Sep 28 10:42:35 2015 -0400
tree: fc04648367b5531aa8e2fa0f46492953c0e1454a
parent: d0f36c46deea97bd16b9277be2f1acac74d76037 [diff] [blame]
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 64443eb..41e452b 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c

@@ -270,8 +270,8 @@
 
 	xprt_clear_connected(xprt);
 
-	rpcrdma_buffer_destroy(&r_xprt->rx_buf);
 	rpcrdma_ep_destroy(&r_xprt->rx_ep, &r_xprt->rx_ia);
+	rpcrdma_buffer_destroy(&r_xprt->rx_buf);
 	rpcrdma_ia_close(&r_xprt->rx_ia);
 
 	xprt_rdma_free_addresses(xprt);
commit	72c021738252dde5849d575a650239d6404930ee	[log] [tgz]
author	Steve Wise <swise@opengridcomputing.com>	Mon Sep 21 12:24:23 2015 -0500
committer	Anna Schumaker <Anna.Schumaker@Netapp.com>	Mon Sep 28 10:42:35 2015 -0400
tree	fc04648367b5531aa8e2fa0f46492953c0e1454a
parent	d0f36c46deea97bd16b9277be2f1acac74d76037 [diff] [blame]