* qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
@ 2014-02-12 0:35 Paul E. McKenney
2014-02-12 13:59 ` Marciniszyn, Mike
0 siblings, 1 reply; 5+ messages in thread
From: Paul E. McKenney @ 2014-02-12 0:35 UTC (permalink / raw)
To: roland, sean.hefty, hal.rosenstock; +Cc: linux-rdma, linux-kernel
Hello!
The qib_lookup_qpn() function does RCU pointer traversals within RCU
read-side critical sections as required, but the qp pointer is returned
from this function after it does rcu_read_unlock(). One of the callers,
qib_rcv_hdrerr(), dereferences this pointer upon return.
This appears to me to be a bug. From what I can see, the structure
pointed to by qp could be freed immediately after the rcu_read_unlock(),
which would result in a SEGV when qib_rcv_hdrerr() does its later
spin_lock(&qp->r_lock).
So what am I missing here?
Thanx, Paul
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
2014-02-12 0:35 qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() Paul E. McKenney
@ 2014-02-12 13:59 ` Marciniszyn, Mike
2014-02-12 14:55 ` Paul E. McKenney
0 siblings, 1 reply; 5+ messages in thread
From: Marciniszyn, Mike @ 2014-02-12 13:59 UTC (permalink / raw)
To: paulmck@linux.vnet.ibm.com, roland@kernel.org, Hefty, Sean,
hal.rosenstock@gmail.com
Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
> So what am I missing here?
>
The atomic increment of a reference count:
struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn)
{
struct qib_qp *qp = NULL;
rcu_read_lock();
if (unlikely(qpn <= 1)) {
if (qpn == 0)
qp = rcu_dereference(ibp->qp0);
else
qp = rcu_dereference(ibp->qp1);
if (qp)
atomic_inc(&qp->refcount); <--------------------------
} else {
struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev;
unsigned n = qpn_hash(dev, qpn);
for (qp = rcu_dereference(dev->qp_table[n]); qp;
qp = rcu_dereference(qp->next))
if (qp->ibqp.qp_num == qpn) {
atomic_inc(&qp->refcount); <---------------------
break;
}
}
rcu_read_unlock();
return qp;
}
Mike
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
2014-02-12 13:59 ` Marciniszyn, Mike
@ 2014-02-12 14:55 ` Paul E. McKenney
2014-02-12 14:57 ` Marciniszyn, Mike
0 siblings, 1 reply; 5+ messages in thread
From: Paul E. McKenney @ 2014-02-12 14:55 UTC (permalink / raw)
To: Marciniszyn, Mike
Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote:
> > So what am I missing here?
> >
>
> The atomic increment of a reference count:
Got it, thank you, apologies for the noise!
Thanx, Paul
> struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn)
> {
> struct qib_qp *qp = NULL;
>
> rcu_read_lock();
> if (unlikely(qpn <= 1)) {
> if (qpn == 0)
> qp = rcu_dereference(ibp->qp0);
> else
> qp = rcu_dereference(ibp->qp1);
> if (qp)
> atomic_inc(&qp->refcount); <--------------------------
> } else {
> struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev;
> unsigned n = qpn_hash(dev, qpn);
>
> for (qp = rcu_dereference(dev->qp_table[n]); qp;
> qp = rcu_dereference(qp->next))
> if (qp->ibqp.qp_num == qpn) {
> atomic_inc(&qp->refcount); <---------------------
> break;
> }
> }
> rcu_read_unlock();
> return qp;
> }
>
> Mike
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
2014-02-12 14:55 ` Paul E. McKenney
@ 2014-02-12 14:57 ` Marciniszyn, Mike
2014-02-12 21:50 ` Paul E. McKenney
0 siblings, 1 reply; 5+ messages in thread
From: Marciniszyn, Mike @ 2014-02-12 14:57 UTC (permalink / raw)
To: paulmck@linux.vnet.ibm.com
Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
BTW, I am considering eliminating the atomic_inc() in favor of widening the scope of the rcu lock expanse.
Mike
> -----Original Message-----
> From: Paul E. McKenney [mailto:paulmck@linux.vnet.ibm.com]
> Sent: Wednesday, February 12, 2014 9:56 AM
> To: Marciniszyn, Mike
> Cc: roland@kernel.org; Hefty, Sean; hal.rosenstock@gmail.com; linux-
> rdma@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
>
> On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote:
> > > So what am I missing here?
> > >
> >
> > The atomic increment of a reference count:
>
> Got it, thank you, apologies for the noise!
>
> Thanx, Paul
>
> > struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) {
> > struct qib_qp *qp = NULL;
> >
> > rcu_read_lock();
> > if (unlikely(qpn <= 1)) {
> > if (qpn == 0)
> > qp = rcu_dereference(ibp->qp0);
> > else
> > qp = rcu_dereference(ibp->qp1);
> > if (qp)
> > atomic_inc(&qp->refcount); <--------------------------
> > } else {
> > struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev;
> > unsigned n = qpn_hash(dev, qpn);
> >
> > for (qp = rcu_dereference(dev->qp_table[n]); qp;
> > qp = rcu_dereference(qp->next))
> > if (qp->ibqp.qp_num == qpn) {
> > atomic_inc(&qp->refcount); <---------------------
> > break;
> > }
> > }
> > rcu_read_unlock();
> > return qp;
> > }
> >
> > Mike
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
2014-02-12 14:57 ` Marciniszyn, Mike
@ 2014-02-12 21:50 ` Paul E. McKenney
0 siblings, 0 replies; 5+ messages in thread
From: Paul E. McKenney @ 2014-02-12 21:50 UTC (permalink / raw)
To: Marciniszyn, Mike
Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
On Wed, Feb 12, 2014 at 02:57:14PM +0000, Marciniszyn, Mike wrote:
> BTW, I am considering eliminating the atomic_inc() in favor of widening the scope of the rcu lock expanse.
As long as the newly included code doesn't block, that should work fine.
(If it does block, another option is SRCU.)
Thanx, Paul
> Mike
>
> > -----Original Message-----
> > From: Paul E. McKenney [mailto:paulmck@linux.vnet.ibm.com]
> > Sent: Wednesday, February 12, 2014 9:56 AM
> > To: Marciniszyn, Mike
> > Cc: roland@kernel.org; Hefty, Sean; hal.rosenstock@gmail.com; linux-
> > rdma@vger.kernel.org; linux-kernel@vger.kernel.org
> > Subject: Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock()
> >
> > On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote:
> > > > So what am I missing here?
> > > >
> > >
> > > The atomic increment of a reference count:
> >
> > Got it, thank you, apologies for the noise!
> >
> > Thanx, Paul
> >
> > > struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) {
> > > struct qib_qp *qp = NULL;
> > >
> > > rcu_read_lock();
> > > if (unlikely(qpn <= 1)) {
> > > if (qpn == 0)
> > > qp = rcu_dereference(ibp->qp0);
> > > else
> > > qp = rcu_dereference(ibp->qp1);
> > > if (qp)
> > > atomic_inc(&qp->refcount); <--------------------------
> > > } else {
> > > struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev;
> > > unsigned n = qpn_hash(dev, qpn);
> > >
> > > for (qp = rcu_dereference(dev->qp_table[n]); qp;
> > > qp = rcu_dereference(qp->next))
> > > if (qp->ibqp.qp_num == qpn) {
> > > atomic_inc(&qp->refcount); <---------------------
> > > break;
> > > }
> > > }
> > > rcu_read_unlock();
> > > return qp;
> > > }
> > >
> > > Mike
> > >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-02-12 21:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-12 0:35 qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() Paul E. McKenney
2014-02-12 13:59 ` Marciniszyn, Mike
2014-02-12 14:55 ` Paul E. McKenney
2014-02-12 14:57 ` Marciniszyn, Mike
2014-02-12 21:50 ` Paul E. McKenney
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox