From: Jason Gunthorpe <jgg@nvidia.com>
To: Bob Pearson <rpearsonhpe@gmail.com>
Cc: zyjzyj2000@gmail.com, linux-rdma@vger.kernel.org,
kernel test robot <lkp@intel.com>
Subject: Re: [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct
Date: Tue, 7 Dec 2021 15:28:24 -0400 [thread overview]
Message-ID: <20211207192824.GJ6385@nvidia.com> (raw)
In-Reply-To: <20211206211242.15528-9-rpearsonhpe@gmail.com>
On Mon, Dec 06, 2021 at 03:12:43PM -0600, Bob Pearson wrote:
> This patch adds code to wait until pending activity on RDMA objects has
> completed before freeing or returning to rdma-core where the object may
> be freed.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
> v6
> Corrected incorrect comment before __rxe_fini()
> Added a #define for complete timeout value.
> Changed type of __rxe_fini to int to return value from wait_for_completion.
> drivers/infiniband/sw/rxe/rxe_comp.c | 4 +-
> drivers/infiniband/sw/rxe/rxe_mcast.c | 4 ++
> drivers/infiniband/sw/rxe/rxe_mr.c | 2 +
> drivers/infiniband/sw/rxe/rxe_mw.c | 14 +++--
> drivers/infiniband/sw/rxe/rxe_pool.c | 31 +++++++++-
> drivers/infiniband/sw/rxe/rxe_pool.h | 4 ++
> drivers/infiniband/sw/rxe/rxe_recv.c | 4 +-
> drivers/infiniband/sw/rxe/rxe_req.c | 11 ++--
> drivers/infiniband/sw/rxe/rxe_resp.c | 6 +-
> drivers/infiniband/sw/rxe/rxe_verbs.c | 84 ++++++++++++++++++++-------
> 10 files changed, 126 insertions(+), 38 deletions(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c
> index f363fe3fa414..a2bb66f320fa 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_comp.c
> @@ -562,7 +562,9 @@ int rxe_completer(void *arg)
> enum comp_state state;
> int ret = 0;
>
> - rxe_add_ref(qp);
> + /* check qp pointer still valid */
> + if (!rxe_add_ref(qp))
> + return -EAGAIN;
This doesn't make sense..
If this already has a pointer to QP then it must already have a ref
and add_ref cannot fail.
The kref_get_unless_zero() is a special case for something like a
container where it is possible for the container to hold a 0 ref item
in it.
The scheme you have makes that impossible because the container lock
is held around the kref == 0 and list_del, so you never need
unless_zero.
The optimization is to not hold the lock around the kref_get, allow
the container to have a 0 ref until the release reaches list_del, and
then lock and list_del. The reader side then needs the unless_zero
But the ONLY place unless_zero should be used is in a situation like
that, and we should never see other failable refcount tests without
some other clear explanation why the qp pointer with a 0 ref is not
freed. The above doesn't qualify.
Further
+static inline bool __rxe_add_ref(struct rxe_pool_elem *elem)
+{
+ return kref_get_unless_zero(&elem->ref_cnt);
+}
Just serves to defeat refcount debugging which checks that it is
impossible for a 0 ref to be incr'd which is proof of a use after free
when refcounts are implemetned properly.
So I don't know what this is all about here but it needs some fixing..
Jason
next prev parent reply other threads:[~2021-12-07 19:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 21:12 [PATCH for-next v6 0/8] RDMA/rxe: Correct race conditions Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 1/8] RDMA/rxe: Replace RB tree by xarray for indexes Bob Pearson
2021-12-07 19:09 ` Jason Gunthorpe
2021-12-09 0:16 ` Bob Pearson
2021-12-09 0:18 ` Jason Gunthorpe
2021-12-09 0:26 ` Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 2/8] RDMA/rxe: Reverse the sense of RXE_POOL_NO_ALLOC Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 3/8] RDMA/rxe: Cleanup pool APIs for keyed objects Bob Pearson
2021-12-07 19:18 ` Jason Gunthorpe
2021-12-06 21:12 ` [PATCH for-next v6 4/8] RDMA/rxe: Fix ref error in rxe_av.c Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 5/8] RDMA/rxe: Replace mr by rkey in responder resources Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 6/8] RDMA/rxe: Minor cleanups in rxe_pool.c/rxe_pool.h Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 7/8] RDMA/rxe: Replace rxe_alloc by kzalloc for rxe_mc_elem Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct Bob Pearson
2021-12-07 19:28 ` Jason Gunthorpe [this message]
2021-12-08 21:21 ` Bob Pearson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211207192824.GJ6385@nvidia.com \
--to=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=lkp@intel.com \
--cc=rpearsonhpe@gmail.com \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox