From: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
To: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Somnath Kotur
<Somnath.Kotur-idTK6quXuVSLFuii7jzJGg@public.gmane.org>,
Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH for-next V1 2/3] IB/core: RoCE GID management separate cleanup and release
Date: Mon, 3 Aug 2015 21:10:38 -0600 [thread overview]
Message-ID: <20150804031038.GA27627@obsidianresearch.com> (raw)
In-Reply-To: <1438607342-11964-3-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
On Mon, Aug 03, 2015 at 04:09:01PM +0300, Matan Barak wrote:
> The release function is called after the device was put.
> Although vendor drivers aren't expected to use IB cache in their
> removal process, we postpone freeing the cache in order to avoid
> possible use-after-free errors.
It isn't so much that they are not expected, it is that they may not
have a choice. A driver cannot tear down things like tasklets and work
queues until after removal finishes, and any of those async things
could call into the core. That is why a driver audit would be so hard..
> @@ -902,9 +925,7 @@ int ib_cache_setup_one(struct ib_device *device)
> (rdma_end_port(device) -
> rdma_start_port(device) + 1),
> GFP_KERNEL);
> - err = gid_table_setup_one(device);
> -
> - if (!device->cache.pkey_cache || !device->cache.gid_cache ||
> + if (!device->cache.pkey_cache ||
> !device->cache.lmc_cache) {
> printk(KERN_WARNING "Couldn't allocate cache "
> "for %s\n", device->name);
> @@ -912,6 +933,10 @@ int ib_cache_setup_one(struct ib_device *device)
> goto err;
> }
>
> + err = gid_table_setup_one(device);
> + if (err)
> + goto err;
> +
> for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p) {
> device->cache.pkey_cache[p] = NULL;
> ib_cache_update(device, p + rdma_start_port(device));
> @@ -929,29 +954,46 @@ err_cache:
> for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p)
> kfree(device->cache.pkey_cache[p]);
>
> + gid_table_cleanup_one(device);
> + gid_table_release_one(device);
> err:
> kfree(device->cache.pkey_cache);
> - gid_table_cleanup_one(device);
> kfree(device->cache.lmc_cache);
This still seems to double kfree on error..
Pick a scheme and use it consistently, either rely on release to be
called on error via kref-put, or kfree and null, for all the kfress in
release_one.
> + ib_cache_cleanup_one(device);
> ib_device_unregister_sysfs(device);
I didn't check closely, but I suspect the above order should be
swapped, and the matching swap in register. sysfs can legitimately
call into core code, but vice-versa shouldn't happen...
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-08-04 3:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-03 13:08 [PATCH for-next V1 0/3] RoCE GID management fixes Matan Barak
[not found] ` <1438607342-11964-1-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-08-03 13:09 ` [PATCH for-next V1 1/3] IB/core: Access to one past end of array in _gid_table_setup_one Matan Barak
[not found] ` <1438607342-11964-2-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-08-14 21:04 ` Doug Ledford
2015-08-03 13:09 ` [PATCH for-next V1 2/3] IB/core: RoCE GID management separate cleanup and release Matan Barak
[not found] ` <1438607342-11964-3-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-08-04 3:10 ` Jason Gunthorpe [this message]
[not found] ` <20150804031038.GA27627-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-08-04 12:09 ` Matan Barak
[not found] ` <CAAKD3BBESq61-UJJvqm=ni5vrtu8yuNJvC57mWwCpehQSd1k4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-04 16:46 ` Jason Gunthorpe
[not found] ` <20150804164650.GA3858-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-08-04 18:55 ` Matan Barak
[not found] ` <CAAKD3BDDKcyA0xitGpuMkKsr6=9onxFgdVXHE3n-zb=xjX4Uhg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-04 21:23 ` Jason Gunthorpe
[not found] ` <20150804212334.GB10934-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2015-08-14 21:49 ` Doug Ledford
2015-08-14 21:56 ` Doug Ledford
2015-08-03 13:09 ` [PATCH for-next V1 3/3] IB/core: Fix possible deadlock in write_gid Matan Barak
[not found] ` <1438607342-11964-4-git-send-email-matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2015-08-14 21:16 ` Doug Ledford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150804031038.GA27627@obsidianresearch.com \
--to=jgunthorpe-epgobjl8dl3ta4ec/59zmfatqe2ktcn/@public.gmane.org \
--cc=Somnath.Kotur-idTK6quXuVSLFuii7jzJGg@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).