From: Leon Romanovsky <leon@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Doug Ledford <dledford@redhat.com>, linux-rdma@vger.kernel.org
Subject: Re: [PATCH rdma-rc 1/3] RDMA/core: Postpone uobject cleanup on failure till FD close
Date: Sun, 1 Nov 2020 21:50:49 +0200 [thread overview]
Message-ID: <20201101195049.GC5429@unreal> (raw)
In-Reply-To: <20201027171122.GP1523783@nvidia.com>
On Tue, Oct 27, 2020 at 02:11:22PM -0300, Jason Gunthorpe wrote:
> On Tue, Oct 27, 2020 at 01:55:08PM -0300, Jason Gunthorpe wrote:
>
> > diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c
> > index 3d366cb79cef42..3ae878f3d173d3 100644
> > +++ b/drivers/infiniband/core/rdma_core.c
> > @@ -540,6 +540,9 @@ static int __must_check destroy_hw_idr_uobject(struct ib_uobject *uobj,
> > if (ret)
> > return ret;
> >
> > + if (why == RDMA_REMOVE_ABORT)
> > + return 0;
> > +
> > ib_rdmacg_uncharge(&uobj->cg_obj, uobj->context->device,
> > RDMACG_RESOURCE_HCA_OBJECT);
> >
> > @@ -727,10 +730,8 @@ void release_ufile_idr_uobject(struct ib_uverbs_file *ufile)
> > *
> > * This is an optimized equivalent to remove_handle_idr_uobject
> > */
> > - xa_for_each(&ufile->idr, id, entry) {
> > - WARN_ON(entry->object);
> > + xa_for_each(&ufile->idr, id, entry)
> > uverbs_uobject_put(entry);
> > - }
>
> Actually this is not a good idea
>
> This one is better:
This causes to many syzkaller bugs, I didn't debug yet.
Thanks
>
> diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c
> index 3d366cb79cef42..fd012be700ccc2 100644
> --- a/drivers/infiniband/core/rdma_core.c
> +++ b/drivers/infiniband/core/rdma_core.c
> @@ -540,6 +540,9 @@ static int __must_check destroy_hw_idr_uobject(struct ib_uobject *uobj,
> if (ret)
> return ret;
>
> + if (why == RDMA_REMOVE_ABORT)
> + return 0;
> +
> ib_rdmacg_uncharge(&uobj->cg_obj, uobj->context->device,
> RDMACG_RESOURCE_HCA_OBJECT);
>
> @@ -845,11 +848,17 @@ static int __uverbs_cleanup_ufile(struct ib_uverbs_file *ufile,
> * racing with a lookup_get.
> */
> WARN_ON(uverbs_try_lock_object(obj, UVERBS_LOOKUP_WRITE));
> + if (reason == RDMA_REMOVE_DRIVER_FAILURE)
> + obj->object = NULL;
> if (!uverbs_destroy_uobject(obj, reason, &attrs))
> ret = 0;
> else
> atomic_set(&obj->usecnt, 0);
> }
> + if (reason == RDMA_REMOVE_DRIVER_FAILURE) {
> + WARN_ON(!list_empty(&ufile->uobjects));
> + return 0;
> + }
> return ret;
> }
>
> @@ -862,9 +871,6 @@ static int __uverbs_cleanup_ufile(struct ib_uverbs_file *ufile,
> void uverbs_destroy_ufile_hw(struct ib_uverbs_file *ufile,
> enum rdma_remove_reason reason)
> {
> - struct ib_uobject *obj, *next_obj;
> - unsigned long flags;
> -
> down_write(&ufile->hw_destroy_rwsem);
>
> /*
> @@ -875,25 +881,10 @@ void uverbs_destroy_ufile_hw(struct ib_uverbs_file *ufile,
> goto done;
>
> while (!list_empty(&ufile->uobjects))
> - if (__uverbs_cleanup_ufile(ufile, reason)) {
> - /*
> - * No entry was cleaned-up successfully during this
> - * iteration. It is a driver bug to fail destruction.
> - */
> - WARN_ON(!list_empty(&ufile->uobjects));
> + if (__uverbs_cleanup_ufile(ufile, reason))
> break;
> - }
> -
> - list_for_each_entry_safe (obj, next_obj, &ufile->uobjects, list) {
> - spin_lock_irqsave(&ufile->uobjects_lock, flags);
> - list_del_init(&obj->list);
> - spin_unlock_irqrestore(&ufile->uobjects_lock, flags);
> - /*
> - * Pairs with the get in rdma_alloc_commit_uobject(), could
> - * destroy uobj.
> - */
> - uverbs_uobject_put(obj);
> - }
> + if (WARN_ON(!list_empty(&ufile->uobjects)))
> + __uverbs_cleanup_ufile(ufile, RDMA_REMOVE_DRIVER_FAILURE);
> ufile_destroy_ucontext(ufile, reason);
>
> done:
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index edfc1d7d3766ca..7e330f4a6d33ff 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1471,6 +1471,8 @@ enum rdma_remove_reason {
> RDMA_REMOVE_DRIVER_REMOVE,
> /* uobj is being cleaned-up before being committed */
> RDMA_REMOVE_ABORT,
> + /* The driver failed to destroy the uobject and is being disconnected */
> + RDMA_REMOVE_DRIVER_FAILURE,
> };
>
> struct ib_rdmacg_object {
next prev parent reply other threads:[~2020-11-01 19:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-12 4:55 [PATCH rdma-rc 0/3] Fixes to coming PR Leon Romanovsky
2020-10-12 4:55 ` [PATCH rdma-rc 1/3] RDMA/core: Postpone uobject cleanup on failure till FD close Leon Romanovsky
2020-10-27 16:55 ` Jason Gunthorpe
2020-10-27 17:11 ` Jason Gunthorpe
2020-11-01 19:50 ` Leon Romanovsky [this message]
2020-10-29 11:49 ` Leon Romanovsky
2020-10-12 4:55 ` [PATCH rdma-rc 2/3] RDMA/core: Make FD destroy callback void Leon Romanovsky
2020-10-12 4:56 ` [PATCH rdma-rc 3/3] RDMA/ucma: Fix use after free in destroy id flow Leon Romanovsky
2020-10-16 17:09 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201101195049.GC5429@unreal \
--to=leon@kernel.org \
--cc=dledford@redhat.com \
--cc=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).