From: Jason Gunthorpe <jgg@nvidia.com>
To: Bob Pearson <rpearsonhpe@gmail.com>
Cc: zyjzyj2000@gmail.com, linux-rdma@vger.kernel.org,
kernel test robot <lkp@intel.com>
Subject: Re: [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct
Date: Tue, 7 Dec 2021 15:28:24 -0400 [thread overview]
Message-ID: <20211207192824.GJ6385@nvidia.com> (raw)
In-Reply-To: <20211206211242.15528-9-rpearsonhpe@gmail.com>
On Mon, Dec 06, 2021 at 03:12:43PM -0600, Bob Pearson wrote:
> This patch adds code to wait until pending activity on RDMA objects has
> completed before freeing or returning to rdma-core where the object may
> be freed.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
> v6
> Corrected incorrect comment before __rxe_fini()
> Added a #define for complete timeout value.
> Changed type of __rxe_fini to int to return value from wait_for_completion.
> drivers/infiniband/sw/rxe/rxe_comp.c | 4 +-
> drivers/infiniband/sw/rxe/rxe_mcast.c | 4 ++
> drivers/infiniband/sw/rxe/rxe_mr.c | 2 +
> drivers/infiniband/sw/rxe/rxe_mw.c | 14 +++--
> drivers/infiniband/sw/rxe/rxe_pool.c | 31 +++++++++-
> drivers/infiniband/sw/rxe/rxe_pool.h | 4 ++
> drivers/infiniband/sw/rxe/rxe_recv.c | 4 +-
> drivers/infiniband/sw/rxe/rxe_req.c | 11 ++--
> drivers/infiniband/sw/rxe/rxe_resp.c | 6 +-
> drivers/infiniband/sw/rxe/rxe_verbs.c | 84 ++++++++++++++++++++-------
> 10 files changed, 126 insertions(+), 38 deletions(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c
> index f363fe3fa414..a2bb66f320fa 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_comp.c
> @@ -562,7 +562,9 @@ int rxe_completer(void *arg)
> enum comp_state state;
> int ret = 0;
>
> - rxe_add_ref(qp);
> + /* check qp pointer still valid */
> + if (!rxe_add_ref(qp))
> + return -EAGAIN;
This doesn't make sense..
If this already has a pointer to QP then it must already have a ref
and add_ref cannot fail.
The kref_get_unless_zero() is a special case for something like a
container where it is possible for the container to hold a 0 ref item
in it.
The scheme you have makes that impossible because the container lock
is held around the kref == 0 and list_del, so you never need
unless_zero.
The optimization is to not hold the lock around the kref_get, allow
the container to have a 0 ref until the release reaches list_del, and
then lock and list_del. The reader side then needs the unless_zero
But the ONLY place unless_zero should be used is in a situation like
that, and we should never see other failable refcount tests without
some other clear explanation why the qp pointer with a 0 ref is not
freed. The above doesn't qualify.
Further
+static inline bool __rxe_add_ref(struct rxe_pool_elem *elem)
+{
+ return kref_get_unless_zero(&elem->ref_cnt);
+}
Just serves to defeat refcount debugging which checks that it is
impossible for a 0 ref to be incr'd which is proof of a use after free
when refcounts are implemetned properly.
So I don't know what this is all about here but it needs some fixing..
Jason
next prev parent reply other threads:[~2021-12-07 19:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 21:12 [PATCH for-next v6 0/8] RDMA/rxe: Correct race conditions Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 1/8] RDMA/rxe: Replace RB tree by xarray for indexes Bob Pearson
2021-12-07 19:09 ` Jason Gunthorpe
2021-12-09 0:16 ` Bob Pearson
2021-12-09 0:18 ` Jason Gunthorpe
2021-12-09 0:26 ` Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 2/8] RDMA/rxe: Reverse the sense of RXE_POOL_NO_ALLOC Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 3/8] RDMA/rxe: Cleanup pool APIs for keyed objects Bob Pearson
2021-12-07 19:18 ` Jason Gunthorpe
2021-12-06 21:12 ` [PATCH for-next v6 4/8] RDMA/rxe: Fix ref error in rxe_av.c Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 5/8] RDMA/rxe: Replace mr by rkey in responder resources Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 6/8] RDMA/rxe: Minor cleanups in rxe_pool.c/rxe_pool.h Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 7/8] RDMA/rxe: Replace rxe_alloc by kzalloc for rxe_mc_elem Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct Bob Pearson
2021-12-07 19:28 ` Jason Gunthorpe [this message]
2021-12-08 21:21 ` Bob Pearson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211207192824.GJ6385@nvidia.com \
--to=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=lkp@intel.com \
--cc=rpearsonhpe@gmail.com \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.