From: Bernd Schubert <bernd.schubert-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
To: "Hefty, Sean" <sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Cc: "linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org"
<roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org>,
Sven Breuner
<sven.breuner-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
Subject: Re: [PATCH] core/verb.c: fix kernel panic: always initialize struct ib_qp *qp->usecnt
Date: Mon, 23 Jan 2012 17:11:45 +0100 [thread overview]
Message-ID: <4F1D86C1.8050709@itwm.fraunhofer.de> (raw)
In-Reply-To: <1828884A29C6694DAF28B7E6B8A823732DC115E2-P5GAC/sN6hmkrb+BlOpmy7fspsVTdybXVpNB7YpNyf8@public.gmane.org>
On 01/20/2012 07:43 PM, Hefty, Sean wrote:
>> However, what is is with user space setting type to IB_QPT_XRC_TGT?
>> I guess this could be solved by letting the kernel zero the memory
>> returned by ->ops.create_qp(pd, qp_init_attr). Btw, I didn't figure
>> out yet, how this translates at all in kernel space? Is this op
>> directly going to the device driver?
>
> ops.create_qp basically ends up going into the kernel into
> ib_uverbs_create_qp().
Thanks, I didn't find this.
>
>> But even if we are properly going to initialize the qp, what is
>> with user space mischievously trying to crash the system by
>> manipulating struct ib_qp *qp?
>
> There's cleanup in uverbs that ignores the return value from
> ib_destroy_qp(), basically because it shouldn't fail in those
> circumstances. After calling ib_destroy_qp, uverbs will free some
> internal structures that some of the callback handlers expect to
> access. This leads to the crashes that you're seeing.
>
> I think the problem is that your first patch is incomplete.
> ib_uverbs_create_qp() will create a QP by either calling
> ib_create_qp() or by calling the device directly (device->create_qp).
> qp->usecnt needs to be initialized in both cases. Can you try this
> modification to your original patch?
Thanks, this works either. But a question here, couldn't we just add the
"struct ib_udata *udata" as third parameter to ib_create_qp() and then
remove the if-condition in ib_uverbs_create_qp()?
if (cmd.qp_type == IB_QPT_XRC_TGT)
qp = ib_create_qp(pd, &attr);
else
qp = device->create_qp(pd, &attr, &udata);
So reduce this to
qp = ib_create_qp(pd, &attr, &attr);
Other callers of ib_create_qp() are not that many and would pass NULL
instead.
Cheers,
Bernd
>
> From: Bernd Schubert<bernd.schubert-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
>
> From: Sean Hefty<sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
>
> rdma/core: Fix kernel panic by always initializing qp->usecnt
>
> We have just been investigating kernel panics related to
> cq->ibcq.event_handler() completion calls.
>
> Reason is that ib_destroy_qp() fails with -EBUSY. Further
> investigation revealed qp->usecnt is not initialized. This counter
> was introduced in linux-3.2 by commit
> 0e0ec7e0638ef48e0c661873dfcc8caccab984c6 and is only initialized for
> IB_QPT_XRC_TGT, but also checked in ib_destroy_qp() for any qp type.
>
> Signed-off-by: Bernd Schubert<bernd.schubert-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
> Signed-off-by: Sven Breuner<sven.breuner-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
> Signed-off-by: Sean Hefty<sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> ---
> drivers/infiniband/core/uverbs_cmd.c | 1 +
> drivers/infiniband/core/verbs.c | 2 +- 2 files changed, 2
> insertions(+), 1 deletions(-)
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c
> b/drivers/infiniband/core/uverbs_cmd.c index e26193f..e47dbf1 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c +++
> b/drivers/infiniband/core/uverbs_cmd.c @@ -1472,6 +1472,7 @@ ssize_t
> ib_uverbs_create_qp(struct ib_uverbs_file *file, qp->event_handler =
> attr.event_handler; qp->qp_context = attr.qp_context; qp->qp_type
> = attr.qp_type; + atomic_set(&qp->usecnt, 0);
> atomic_inc(&pd->usecnt); atomic_inc(&attr.send_cq->usecnt); if
> (attr.recv_cq) diff --git a/drivers/infiniband/core/verbs.c
> b/drivers/infiniband/core/verbs.c index 602b1bd..575b780 100644 ---
> a/drivers/infiniband/core/verbs.c +++
> b/drivers/infiniband/core/verbs.c @@ -421,6 +421,7 @@ struct ib_qp
> *ib_create_qp(struct ib_pd *pd, qp->uobject = NULL; qp->qp_type
> = qp_init_attr->qp_type;
>
> + atomic_set(&qp->usecnt, 0); if (qp_init_attr->qp_type ==
> IB_QPT_XRC_TGT) { qp->event_handler = __ib_shared_qp_event_handler;
> qp->qp_context = qp; @@ -430,7 +431,6 @@ struct ib_qp
> *ib_create_qp(struct ib_pd *pd, qp->xrcd = qp_init_attr->xrcd;
> atomic_inc(&qp_init_attr->xrcd->usecnt);
> INIT_LIST_HEAD(&qp->open_list); - atomic_set(&qp->usecnt, 0);
>
> real_qp = qp; qp = __ib_open_qp(real_qp,
> qp_init_attr->event_handler,
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-01-23 16:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-20 18:43 [PATCH] core/verb.c: fix kernel panic: always initialize struct ib_qp *qp->usecnt Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A823732DC115E2-P5GAC/sN6hmkrb+BlOpmy7fspsVTdybXVpNB7YpNyf8@public.gmane.org>
2012-01-23 16:11 ` Bernd Schubert [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-01-19 19:46 Bernd Schubert
[not found] ` <20120119194641.1391553.39048.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2012-01-19 20:29 ` Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A823732DC0C33E-P5GAC/sN6hlZtRGVdHMbwrfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2012-01-20 16:14 ` Bernd Schubert
[not found] ` <4F1992F6.9070103-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-20 18:40 ` Roland Dreier
[not found] ` <CAL1RGDWSh3HpVY5dui549EoqhzTYaSnsCPGdEU+hPZ9NWx6ttw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-20 18:43 ` Roland Dreier
[not found] ` <CAL1RGDW=XfCd3aCmB0mE1WcOUeDj=17=s2K0A3zpFmBF6Rg_Rg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-27 16:23 ` Sven Breuner
[not found] ` <4F22CF82.2060606-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-27 17:20 ` Roland Dreier
[not found] ` <CAL1RGDXXYG48d2P0h4G+z4W8HebjrQ7HTWyx5FqgB0_2OqC4Ng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-01-27 18:49 ` Sven Breuner
[not found] ` <4F22F1C9.3090801-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org>
2012-01-27 19:09 ` Roland Dreier
2012-01-23 15:11 ` Bernd Schubert
2012-01-19 20:38 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F1D86C1.8050709@itwm.fraunhofer.de \
--to=bernd.schubert-mpn0npgs4xgatndf+kubs4quadtiucjx@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=roland-BHEL68pLQRGGvPXPguhicg@public.gmane.org \
--cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=sven.breuner-mPn0NPGs4xGatNDF+KUbs4QuADTiUCJX@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox