From: Andrew Boyer <andrew.boyer-8PEkshWhKlo@public.gmane.org>
To: monis-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org,
yonatanc-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Andrew Boyer <andrew.boyer-8PEkshWhKlo@public.gmane.org>
Subject: [PATCH v1 02/11] IB/rxe: Disable completion upcalls when a CQ is destroyed
Date: Fri, 25 Aug 2017 15:05:47 -0400 [thread overview]
Message-ID: <1503687956-7110-3-git-send-email-andrew.boyer@dell.com> (raw)
In-Reply-To: <1503687956-7110-1-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
This prevents the stack from accessing userspace objects while they
are being torn down.
One possible sequence of events:
- Userspace program exits
- ib_uverbs_cleanup_ucontext() runs, calling ib_destroy_qp(),
ib_destroy_cq(), etc. and releasing/freeing the UCQ
- The QP still has tasklets running, so it isn't destroyed yet
- The CQ is referenced by the QP, so the CQ isn't destroyed yet
- The UCQ is kfree()'d anyway
- A send work request completes
- rxe_send_complete() calls cq->ibcq.comp_handler()
- ib_uverbs_comp_handler() runs and crashes; the event queue is checked
for is_closed, but it has no way to check the ib_ucq_object before
accessing it
The reference counting on the CQ doesn't protect against this since the CQ
hasn't been destroyed yet.
There's no available interface to deregister the UCQ from the CQ, and it
didn't appear that attempting to add reference counting to the UCQ was
going to be a good way to go since this solution is much simpler.
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Andrew Boyer <andrew.boyer-8PEkshWhKlo@public.gmane.org>
---
drivers/infiniband/sw/rxe/rxe_cq.c | 19 +++++++++++++++++++
drivers/infiniband/sw/rxe/rxe_loc.h | 2 ++
drivers/infiniband/sw/rxe/rxe_verbs.c | 2 ++
drivers/infiniband/sw/rxe/rxe_verbs.h | 1 +
4 files changed, 24 insertions(+)
diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c
index 49fe42c..c4aabf7 100644
--- a/drivers/infiniband/sw/rxe/rxe_cq.c
+++ b/drivers/infiniband/sw/rxe/rxe_cq.c
@@ -69,6 +69,14 @@ int rxe_cq_chk_attr(struct rxe_dev *rxe, struct rxe_cq *cq,
static void rxe_send_complete(unsigned long data)
{
struct rxe_cq *cq = (struct rxe_cq *)data;
+ unsigned long flags;
+
+ spin_lock_irqsave(&cq->cq_lock, flags);
+ if (cq->is_dying) {
+ spin_unlock_irqrestore(&cq->cq_lock, flags);
+ return;
+ }
+ spin_unlock_irqrestore(&cq->cq_lock, flags);
cq->ibcq.comp_handler(&cq->ibcq, cq->ibcq.cq_context);
}
@@ -97,6 +105,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe,
if (udata)
cq->is_user = 1;
+ cq->is_dying = false;
+
tasklet_init(&cq->comp_task, rxe_send_complete, (unsigned long)cq);
spin_lock_init(&cq->cq_lock);
@@ -156,6 +166,15 @@ int rxe_cq_post(struct rxe_cq *cq, struct rxe_cqe *cqe, int solicited)
return 0;
}
+void rxe_cq_disable(struct rxe_cq *cq)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&cq->cq_lock, flags);
+ cq->is_dying = true;
+ spin_unlock_irqrestore(&cq->cq_lock, flags);
+}
+
void rxe_cq_cleanup(struct rxe_pool_entry *arg)
{
struct rxe_cq *cq = container_of(arg, typeof(*cq), pelem);
diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h
index d6299ed..64f8fa1 100644
--- a/drivers/infiniband/sw/rxe/rxe_loc.h
+++ b/drivers/infiniband/sw/rxe/rxe_loc.h
@@ -64,6 +64,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe,
int rxe_cq_post(struct rxe_cq *cq, struct rxe_cqe *cqe, int solicited);
+void rxe_cq_disable(struct rxe_cq *cq);
+
void rxe_cq_cleanup(struct rxe_pool_entry *arg);
/* rxe_mcast.c */
diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index af90a7d..02a39e8 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -960,6 +960,8 @@ static int rxe_destroy_cq(struct ib_cq *ibcq)
{
struct rxe_cq *cq = to_rcq(ibcq);
+ rxe_cq_disable(cq);
+
rxe_drop_ref(cq);
return 0;
}
diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h
index 5a180fb..b09a9e2 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.h
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.h
@@ -89,6 +89,7 @@ struct rxe_cq {
struct rxe_queue *queue;
spinlock_t cq_lock;
u8 notify;
+ bool is_dying;
int is_user;
struct tasklet_struct comp_task;
};
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-25 19:05 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-25 13:39 [PATCH 0/7] IB/rxe: Bug fixes Andrew Boyer
[not found] ` <1500989968-30889-1-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-25 13:39 ` [PATCH 1/7] IB/rxe: Move refcounting earlier in rxe_send() Andrew Boyer
[not found] ` <1500989968-30889-2-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 8:57 ` Moni Shoua
2017-07-25 13:39 ` [PATCH 2/7] IB/rxe: Disable completion upcalls when a CQ is destroyed Andrew Boyer
[not found] ` <1500989968-30889-3-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 9:35 ` Moni Shoua
[not found] ` <CAG9sBKOet0xv9YaJAc58erVrnTGwzMd630goDgrxUEx4PhXK+g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-07-27 13:19 ` Boyer, Andrew
2017-07-25 13:39 ` [PATCH 3/7] IB/rxe: Remove dangling prototype Andrew Boyer
[not found] ` <1500989968-30889-4-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 9:36 ` Moni Shoua
2017-07-25 13:39 ` [PATCH 4/7] IB/rxe: Fix up the responder's find_resources() function Andrew Boyer
[not found] ` <1500989968-30889-5-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 10:54 ` Moni Shoua
2017-07-25 13:39 ` [PATCH 5/7] IB/rxe: Fix destination cache for IPv6 Andrew Boyer
[not found] ` <1500989968-30889-6-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 6:41 ` kbuild test robot
[not found] ` <201707271425.T94Zam4o%fengguang.wu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-07-27 13:24 ` Boyer, Andrew
2017-07-27 12:07 ` Moni Shoua
2017-07-25 13:39 ` [PATCH 6/7] IB/rxe: Fix up one more receive queue drain path that might prevent cleanup Andrew Boyer
[not found] ` <1500989968-30889-7-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-27 12:13 ` Moni Shoua
2017-07-25 13:39 ` [PATCH 7/7] IB/rxe: Avoid ICRC errors by copying into the skb first Andrew Boyer
[not found] ` <1500989968-30889-8-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-07-25 17:34 ` Or Gerlitz
[not found] ` <CAJ3xEMi7qiygVwngd-1q0x7xOf=whGb667t0RQpZ0uRbchw=oA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-07-25 18:00 ` Boyer, Andrew
[not found] ` <D59CFD43.1B523%Andrew.Boyer-mb1K0bWo544@public.gmane.org>
2017-07-27 13:25 ` Moni Shoua
2017-07-27 13:27 ` [PATCH 0/7] IB/rxe: Bug fixes Moni Shoua
2017-08-25 19:05 ` [PATCH v1 00/11] " Andrew Boyer
[not found] ` <1503687956-7110-1-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-25 19:05 ` [PATCH v1 01/11] IB/rxe: Move refcounting earlier in rxe_send() Andrew Boyer
[not found] ` <1503687956-7110-2-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-27 12:01 ` Yuval Shaia
2017-08-28 13:05 ` Boyer, Andrew
2017-08-25 19:05 ` Andrew Boyer [this message]
2017-08-25 19:05 ` [PATCH v1 03/11] IB/rxe: Remove dangling prototype Andrew Boyer
[not found] ` <1503687956-7110-4-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-27 12:03 ` Yuval Shaia
2017-08-25 19:05 ` [PATCH v1 04/11] IB/rxe: Fix up the responder's find_resources() function Andrew Boyer
[not found] ` <1503687956-7110-5-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-27 12:14 ` Yuval Shaia
2017-08-25 19:05 ` [PATCH v1 05/11] IB/rxe: Fix destination cache for IPv6 Andrew Boyer
2017-08-25 19:05 ` [PATCH v1 06/11] IB/rxe: Add dst_clone() in prepare_ipv6_hdr() Andrew Boyer
2017-08-25 19:05 ` [PATCH v1 07/11] IB/rxe: Fix up rxe_qp_cleanup() Andrew Boyer
2017-08-25 19:05 ` [PATCH v1 08/11] IB/rxe: Remove unneeded initialization in prepare6() Andrew Boyer
[not found] ` <1503687956-7110-9-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-27 12:20 ` Yuval Shaia
2017-08-25 19:05 ` [PATCH v1 09/11] IB/rxe: Another fix for broken receive queue draining Andrew Boyer
2017-08-25 19:05 ` [PATCH v1 10/11] IB/rxe: Avoid ICRC errors by copying into the skb first Andrew Boyer
2017-08-25 19:05 ` [PATCH v1 11/11] IB/rxe: Handle NETDEV_CHANGE events Andrew Boyer
[not found] ` <1503687956-7110-12-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-27 10:30 ` Yuval Shaia
2017-08-28 12:38 ` Boyer, Andrew
[not found] ` <D5C986D7.1DF85%Andrew.Boyer-mb1K0bWo544@public.gmane.org>
2017-08-28 13:37 ` Doug Ledford
[not found] ` <e426219f-a558-209b-350c-bd71c39e52eb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-08-28 13:47 ` Boyer, Andrew
[not found] ` <D5C996DB.1DFB5%Andrew.Boyer-mb1K0bWo544@public.gmane.org>
2017-08-28 14:13 ` Doug Ledford
2017-08-28 13:50 ` Yuval Shaia
2017-08-27 23:00 ` kbuild test robot
2017-08-27 12:33 ` [PATCH v1 00/11] IB/rxe: Bug fixes Yuval Shaia
2017-08-28 20:11 ` [PATCH v2 " Andrew Boyer
[not found] ` <1503951119-25573-1-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-28 20:11 ` [PATCH v2 01/11] IB/rxe: Move refcounting earlier in rxe_send() Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 02/11] IB/rxe: Disable completion upcalls when a CQ is destroyed Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 03/11] IB/rxe: Remove dangling prototype Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 04/11] IB/rxe: Fix up the responder's find_resources() function Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 05/11] IB/rxe: Fix destination cache for IPv6 Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 06/11] IB/rxe: Add dst_clone() in prepare_ipv6_hdr() Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 07/11] IB/rxe: Fix up rxe_qp_cleanup() Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 08/11] IB/rxe: Remove unneeded initialization in prepare6() Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 09/11] IB/rxe: Another fix for broken receive queue draining Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 10/11] IB/rxe: Avoid ICRC errors by copying into the skb first Andrew Boyer
2017-08-28 20:11 ` [PATCH v2 11/11] IB/rxe: Handle NETDEV_CHANGE events Andrew Boyer
[not found] ` <1503951119-25573-12-git-send-email-andrew.boyer-8PEkshWhKlo@public.gmane.org>
2017-08-29 7:53 ` Yuval Shaia
2017-08-28 23:32 ` [PATCH v2 00/11] IB/rxe: Bug fixes Doug Ledford
2017-08-29 7:54 ` Yuval Shaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503687956-7110-3-git-send-email-andrew.boyer@dell.com \
--to=andrew.boyer-8pekshwhklo@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=monis-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=yonatanc-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox