From: Jason Gunthorpe <jgg@nvidia.com>
To: <m.malygin@yadro.com>
Cc: <linux-rdma@vger.kernel.org>, <s.kojushev@yadro.com>, <linux@yadro.com>
Subject: Re: [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
Date: Tue, 14 Jul 2020 16:59:16 -0300 [thread overview]
Message-ID: <20200714195916.GA2475296@nvidia.com> (raw)
In-Reply-To: <20200609125411.13268-1-m.malygin@yadro.com>
On Tue, Jun 09, 2020 at 03:54:12PM +0300, m.malygin@yadro.com wrote:
> From: Mikhail Malygin <m.malygin@yadro.com>
>
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
>
> Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
> Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com>
> drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
> index b8a22af724e8..a539b11b4f9b 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
> @@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
> unsigned int mask;
> unsigned int length = 0;
> int i;
> + struct ib_send_wr *next;
>
> while (wr) {
> mask = wr_opcode_mask(wr->opcode, qp);
> @@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
> break;
> }
>
> + next = READ_ONCE(wr->next);
Why is this READ_ONCE? The wr list at this point cannot be allowed to
change
Jason
next prev parent reply other threads:[~2020-07-14 19:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 12:54 [PATCH] rdma_rxe: Prevent access to wr->next ptr afrer wr is posted to send queue m.malygin
2020-07-14 19:59 ` Jason Gunthorpe [this message]
2020-07-16 19:03 ` [PATCH v2] " m.malygin
2020-07-16 19:17 ` Jason Gunthorpe
-- strict thread matches above, loose matches on Subject: below --
2020-07-15 8:57 [PATCH] " Mikhail Malygin
2020-07-15 11:37 ` Jason Gunthorpe
2020-07-15 12:18 ` Mikhail Malygin
2020-07-16 3:17 ` Zhu Yanjun
2020-07-16 11:41 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200714195916.GA2475296@nvidia.com \
--to=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=linux@yadro.com \
--cc=m.malygin@yadro.com \
--cc=s.kojushev@yadro.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.