From: Vipul Pandya <vipul-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
To: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org,
divy-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org,
swise-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org,
abhishek-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org,
Vipul Pandya <vipul-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
Subject: [PATCH 07/11] RDMA/cxgb4: endpoint timeout race condition
Date: Mon, 7 Jan 2013 18:41:56 +0530 [thread overview]
Message-ID: <1357564320-15022-8-git-send-email-vipul@chelsio.com> (raw)
In-Reply-To: <1357564320-15022-1-git-send-email-vipul-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
The endpoint timeout logic had a race that could cause an endpoint
object to be freed while it was still on the timedout list. This
can happen if the timer is stopped after it had fired, but before
the timedout thread processed the endpoint timeout.
Signed-off-by: Vipul Pandya <vipul-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
---
drivers/infiniband/hw/cxgb4/cm.c | 29 ++++++++++++++++-------------
drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 1 +
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 51ceb61..ab5b4dd 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -159,10 +159,12 @@ static void start_ep_timer(struct c4iw_ep *ep)
{
PDBG("%s ep %p\n", __func__, ep);
if (timer_pending(&ep->timer)) {
- PDBG("%s stopped / restarted timer ep %p\n", __func__, ep);
- del_timer_sync(&ep->timer);
- } else
- c4iw_get_ep(&ep->com);
+ pr_err("%s timer already started! ep %p\n",
+ __func__, ep);
+ return;
+ }
+ clear_bit(TIMEOUT, &ep->com.flags);
+ c4iw_get_ep(&ep->com);
ep->timer.expires = jiffies + ep_timeout_secs * HZ;
ep->timer.data = (unsigned long)ep;
ep->timer.function = ep_timeout;
@@ -171,14 +173,10 @@ static void start_ep_timer(struct c4iw_ep *ep)
static void stop_ep_timer(struct c4iw_ep *ep)
{
- PDBG("%s ep %p\n", __func__, ep);
- if (!timer_pending(&ep->timer)) {
- WARN(1, "%s timer stopped when its not running! "
- "ep %p state %u\n", __func__, ep, ep->com.state);
- return;
- }
+ PDBG("%s ep %p stopping\n", __func__, ep);
del_timer_sync(&ep->timer);
- c4iw_put_ep(&ep->com);
+ if (!test_and_set_bit(TIMEOUT, &ep->com.flags))
+ c4iw_put_ep(&ep->com);
}
static int c4iw_l2t_send(struct c4iw_rdev *rdev, struct sk_buff *skb,
@@ -3191,11 +3189,16 @@ static DECLARE_WORK(skb_work, process_work);
static void ep_timeout(unsigned long arg)
{
struct c4iw_ep *ep = (struct c4iw_ep *)arg;
+ int kickit = 0;
spin_lock(&timeout_lock);
- list_add_tail(&ep->entry, &timeout_list);
+ if (!test_and_set_bit(TIMEOUT, &ep->com.flags)) {
+ list_add_tail(&ep->entry, &timeout_list);
+ kickit = 1;
+ }
spin_unlock(&timeout_lock);
- queue_work(workq, &skb_work);
+ if (kickit)
+ queue_work(workq, &skb_work);
}
/*
diff --git a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
index 0aaaa0e..94a3b3c 100644
--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
+++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
@@ -716,6 +716,7 @@ enum c4iw_ep_flags {
ABORT_REQ_IN_PROGRESS = 1,
RELEASE_RESOURCES = 2,
CLOSE_SENT = 3,
+ TIMEOUT = 4,
QP_REFERENCED = 5,
};
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-01-07 13:11 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-07 13:11 [PATCH 00/11] Critical bug fixes for RDMA/cxgb4 Vipul Pandya
[not found] ` <1357564320-15022-1-git-send-email-vipul-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
2013-01-07 13:11 ` [PATCH 01/11] RDMA/cxgb4: abort connections that receive unexpected streaming mode data Vipul Pandya
2013-01-07 13:11 ` [PATCH 02/11] RDMA/cxgb4: abort connections when moving to ERROR state Vipul Pandya
2013-01-07 13:11 ` [PATCH 03/11] RDMA/cxgb4: Display streaming mode error only if detected in RTS Vipul Pandya
2013-01-07 13:11 ` [PATCH 04/11] RDMA/cxgb4: keep qp referenced until TID released Vipul Pandya
2013-01-07 13:11 ` [PATCH 05/11] RDMA/cxgb4: Always log async errors Vipul Pandya
2013-01-07 13:11 ` [PATCH 06/11] RDMA/cxgb4: only log rx_data warnings if cpl status is non zero Vipul Pandya
2013-01-07 13:11 ` Vipul Pandya [this message]
2013-01-07 13:11 ` [PATCH 08/11] RDMA/cxgb4: don't reconnect on abort for mpa_rev 1 Vipul Pandya
2013-01-07 13:11 ` [PATCH 09/11] RDMA/cxgb4: Don't wakeup threads for MPAv2 Vipul Pandya
2013-01-07 13:11 ` [PATCH 10/11] RDMA/cxgb4: Insert hwtid in pass_accept_req instead in pass_establish Vipul Pandya
2013-01-07 13:12 ` [PATCH 11/11] RDMA/cxgb4: Address sparse warnings Vipul Pandya
2013-01-07 15:44 ` [PATCH 00/11] Critical bug fixes for RDMA/cxgb4 Steve Wise
[not found] ` <50EAED60.7080507-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org>
2013-01-07 15:45 ` Steve Wise
2013-01-08 0:33 ` Roland Dreier
[not found] ` <CAL1RGDWra_K=BKUY04dUdCQwJcCOf+FHYrsQb2jA9+eM2ygqCw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-08 6:13 ` Vipul Pandya
[not found] ` <50EBB91C.2070001-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
2013-01-16 7:17 ` Vipul Pandya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1357564320-15022-8-git-send-email-vipul@chelsio.com \
--to=vipul-ut6up61k2wzbdgjk7y7tuq@public.gmane.org \
--cc=abhishek-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org \
--cc=divy-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org \
--cc=swise-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox