From: Jason Gunthorpe <jgg@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>
Cc: Doug Ledford <dledford@redhat.com>,
Leon Romanovsky <leonro@mellanox.com>,
<linux-rdma@vger.kernel.org>, Mark Zhang <markz@nvidia.com>
Subject: Re: [PATCH rdma-next v3 6/9] RDMA/restrack: Add error handling while adding restrack object
Date: Fri, 2 Oct 2020 09:42:17 -0300 [thread overview]
Message-ID: <20201002124217.GA1342563@nvidia.com> (raw)
In-Reply-To: <20200926101938.2964394-7-leon@kernel.org>
On Sat, Sep 26, 2020 at 01:19:35PM +0300, Leon Romanovsky wrote:
> diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c
> index 12ebacf52958..1abcb01d362f 100644
> +++ b/drivers/infiniband/core/cq.c
> @@ -267,10 +267,25 @@ struct ib_cq *__ib_alloc_cq(struct ib_device *dev, void *private, int nr_cqe,
> goto out_destroy_cq;
> }
>
> - rdma_restrack_add(&cq->res);
> + ret = rdma_restrack_add(&cq->res);
> + if (ret)
> + goto out_poll_cq;
> +
> trace_cq_alloc(cq, nr_cqe, comp_vector, poll_ctx);
> return cq;
>
> +out_poll_cq:
> + switch (cq->poll_ctx) {
> + case IB_POLL_SOFTIRQ:
> + irq_poll_disable(&cq->iop);
> + break;
> + case IB_POLL_WORKQUEUE:
> + case IB_POLL_UNBOUND_WORKQUEUE:
> + cancel_work_sync(&cq->work);
This error unwind is *technically* in the wrong order, it is wrong in
ib_free_cq too which is an actual bug.
The cq->comp_handler should be set before calling create_cq and undone
after calling destroy_wq. We can do this right now that the
allocations have been reworked.
Otherwise there is no assurance the ib_cq_completion_workqueue() won't
be called after this cancel == use after free
Also, you need to check all the rdma_restrack_del()'s, they should
always be *before* destroying the HW object, eg ib_free_cq() has it
too late. Similarly the add should always be after the HW object is
allocated.
For instance fill_res_cq_entry() calls
dev->ops.fill_res_cq_entry(msg, cq)
on an already free'd HW object with this arrangment.
These are pre-existing things so lets fix them seperately please
Jason
next prev parent reply other threads:[~2020-10-02 12:42 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-26 10:19 [PATCH rdma-next v3 0/9] Track memory allocation with restrack DB help Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 1/9] RDMA/core: Allow drivers to disable restrack DB Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 2/9] RDMA/counter: Combine allocation and bind logic Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 3/9] RDMA/restrack: Store all special QPs in restrack DB Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 4/9] RDMA/cma: Add missing error handling of listen_id Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 5/9] RDMA/cma: Be strict with attaching to CMA device Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 6/9] RDMA/restrack: Add error handling while adding restrack object Leon Romanovsky
2020-10-02 12:42 ` Jason Gunthorpe [this message]
2020-10-02 12:57 ` Leon Romanovsky
2020-10-02 13:16 ` Jason Gunthorpe
2020-10-04 6:48 ` Leon Romanovsky
2020-10-04 12:32 ` Jason Gunthorpe
2020-10-04 12:49 ` Leon Romanovsky
2020-10-04 13:03 ` Jason Gunthorpe
2020-10-02 13:13 ` Jason Gunthorpe
2020-10-04 6:04 ` Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 7/9] RDMA/restrack: Support all QP types Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 8/9] RDMA/core: Track device memory MRs Leon Romanovsky
2020-09-26 10:19 ` [PATCH rdma-next v3 9/9] RDMA/restrack: Drop valid restrack field as source of ambiguity Leon Romanovsky
2020-10-02 12:55 ` Jason Gunthorpe
2020-10-02 13:05 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201002124217.GA1342563@nvidia.com \
--to=jgg@nvidia.com \
--cc=dledford@redhat.com \
--cc=leon@kernel.org \
--cc=leonro@mellanox.com \
--cc=linux-rdma@vger.kernel.org \
--cc=markz@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.