From: Bob Pearson <rpearsonhpe@gmail.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: zyjzyj2000@gmail.com, linux-rdma@vger.kernel.org,
kernel test robot <lkp@intel.com>
Subject: Re: [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct
Date: Wed, 8 Dec 2021 15:21:07 -0600 [thread overview]
Message-ID: <6ff5a719-d290-0f67-98b2-116cb1d3431f@gmail.com> (raw)
In-Reply-To: <20211207192824.GJ6385@nvidia.com>
On 12/7/21 13:28, Jason Gunthorpe wrote:
> On Mon, Dec 06, 2021 at 03:12:43PM -0600, Bob Pearson wrote:
>> This patch adds code to wait until pending activity on RDMA objects has
>> completed before freeing or returning to rdma-core where the object may
>> be freed.
>>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
>> v6
>> Corrected incorrect comment before __rxe_fini()
>> Added a #define for complete timeout value.
>> Changed type of __rxe_fini to int to return value from wait_for_completion.
>> drivers/infiniband/sw/rxe/rxe_comp.c | 4 +-
>> drivers/infiniband/sw/rxe/rxe_mcast.c | 4 ++
>> drivers/infiniband/sw/rxe/rxe_mr.c | 2 +
>> drivers/infiniband/sw/rxe/rxe_mw.c | 14 +++--
>> drivers/infiniband/sw/rxe/rxe_pool.c | 31 +++++++++-
>> drivers/infiniband/sw/rxe/rxe_pool.h | 4 ++
>> drivers/infiniband/sw/rxe/rxe_recv.c | 4 +-
>> drivers/infiniband/sw/rxe/rxe_req.c | 11 ++--
>> drivers/infiniband/sw/rxe/rxe_resp.c | 6 +-
>> drivers/infiniband/sw/rxe/rxe_verbs.c | 84 ++++++++++++++++++++-------
>> 10 files changed, 126 insertions(+), 38 deletions(-)
>>
>> diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c
>> index f363fe3fa414..a2bb66f320fa 100644
>> +++ b/drivers/infiniband/sw/rxe/rxe_comp.c
>> @@ -562,7 +562,9 @@ int rxe_completer(void *arg)
>> enum comp_state state;
>> int ret = 0;
>>
>> - rxe_add_ref(qp);
>> + /* check qp pointer still valid */
>> + if (!rxe_add_ref(qp))
>> + return -EAGAIN;
>
> This doesn't make sense..
>
> If this already has a pointer to QP then it must already have a ref
> and add_ref cannot fail.
Good point. My first reaction to using kref_get_unless_zero() which returns a
value was to go around and check all the values to make sure no calls failed.
But you are correct. All the main tasklets depend on qp still being around since
the tasklet struct is contained inside of qp. Further all the qp references have
to be freed and the ref from kref_init before qp is freed so this call is both
safe from failing and completely unnecessary in the first place.
Bob
>
> The kref_get_unless_zero() is a special case for something like a
> container where it is possible for the container to hold a 0 ref item
> in it.
>
> The scheme you have makes that impossible because the container lock
> is held around the kref == 0 and list_del, so you never need
> unless_zero.
>
> The optimization is to not hold the lock around the kref_get, allow
> the container to have a 0 ref until the release reaches list_del, and
> then lock and list_del. The reader side then needs the unless_zero
>
> But the ONLY place unless_zero should be used is in a situation like
> that, and we should never see other failable refcount tests without
> some other clear explanation why the qp pointer with a 0 ref is not
> freed. The above doesn't qualify.
>
> Further
>
> +static inline bool __rxe_add_ref(struct rxe_pool_elem *elem)
> +{
> + return kref_get_unless_zero(&elem->ref_cnt);
> +}
>
> Just serves to defeat refcount debugging which checks that it is
> impossible for a 0 ref to be incr'd which is proof of a use after free
> when refcounts are implemetned properly.
>
> So I don't know what this is all about here but it needs some fixing..
>
> Jason
>
prev parent reply other threads:[~2021-12-08 21:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 21:12 [PATCH for-next v6 0/8] RDMA/rxe: Correct race conditions Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 1/8] RDMA/rxe: Replace RB tree by xarray for indexes Bob Pearson
2021-12-07 19:09 ` Jason Gunthorpe
2021-12-09 0:16 ` Bob Pearson
2021-12-09 0:18 ` Jason Gunthorpe
2021-12-09 0:26 ` Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 2/8] RDMA/rxe: Reverse the sense of RXE_POOL_NO_ALLOC Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 3/8] RDMA/rxe: Cleanup pool APIs for keyed objects Bob Pearson
2021-12-07 19:18 ` Jason Gunthorpe
2021-12-06 21:12 ` [PATCH for-next v6 4/8] RDMA/rxe: Fix ref error in rxe_av.c Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 5/8] RDMA/rxe: Replace mr by rkey in responder resources Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 6/8] RDMA/rxe: Minor cleanups in rxe_pool.c/rxe_pool.h Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 7/8] RDMA/rxe: Replace rxe_alloc by kzalloc for rxe_mc_elem Bob Pearson
2021-12-06 21:12 ` [PATCH for-next v6 8/8] RDMA/rxe: Add wait for completion to obj destruct Bob Pearson
2021-12-07 19:28 ` Jason Gunthorpe
2021-12-08 21:21 ` Bob Pearson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ff5a719-d290-0f67-98b2-116cb1d3431f@gmail.com \
--to=rpearsonhpe@gmail.com \
--cc=jgg@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=lkp@intel.com \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox