* qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() @ 2014-02-12 0:35 Paul E. McKenney 2014-02-12 13:59 ` Marciniszyn, Mike 0 siblings, 1 reply; 5+ messages in thread From: Paul E. McKenney @ 2014-02-12 0:35 UTC (permalink / raw) To: roland, sean.hefty, hal.rosenstock; +Cc: linux-rdma, linux-kernel Hello! The qib_lookup_qpn() function does RCU pointer traversals within RCU read-side critical sections as required, but the qp pointer is returned from this function after it does rcu_read_unlock(). One of the callers, qib_rcv_hdrerr(), dereferences this pointer upon return. This appears to me to be a bug. From what I can see, the structure pointed to by qp could be freed immediately after the rcu_read_unlock(), which would result in a SEGV when qib_rcv_hdrerr() does its later spin_lock(&qp->r_lock). So what am I missing here? Thanx, Paul ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() 2014-02-12 0:35 qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() Paul E. McKenney @ 2014-02-12 13:59 ` Marciniszyn, Mike 2014-02-12 14:55 ` Paul E. McKenney 0 siblings, 1 reply; 5+ messages in thread From: Marciniszyn, Mike @ 2014-02-12 13:59 UTC (permalink / raw) To: paulmck@linux.vnet.ibm.com, roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org > So what am I missing here? > The atomic increment of a reference count: struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) { struct qib_qp *qp = NULL; rcu_read_lock(); if (unlikely(qpn <= 1)) { if (qpn == 0) qp = rcu_dereference(ibp->qp0); else qp = rcu_dereference(ibp->qp1); if (qp) atomic_inc(&qp->refcount); <-------------------------- } else { struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev; unsigned n = qpn_hash(dev, qpn); for (qp = rcu_dereference(dev->qp_table[n]); qp; qp = rcu_dereference(qp->next)) if (qp->ibqp.qp_num == qpn) { atomic_inc(&qp->refcount); <--------------------- break; } } rcu_read_unlock(); return qp; } Mike ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() 2014-02-12 13:59 ` Marciniszyn, Mike @ 2014-02-12 14:55 ` Paul E. McKenney 2014-02-12 14:57 ` Marciniszyn, Mike 0 siblings, 1 reply; 5+ messages in thread From: Paul E. McKenney @ 2014-02-12 14:55 UTC (permalink / raw) To: Marciniszyn, Mike Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote: > > So what am I missing here? > > > > The atomic increment of a reference count: Got it, thank you, apologies for the noise! Thanx, Paul > struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) > { > struct qib_qp *qp = NULL; > > rcu_read_lock(); > if (unlikely(qpn <= 1)) { > if (qpn == 0) > qp = rcu_dereference(ibp->qp0); > else > qp = rcu_dereference(ibp->qp1); > if (qp) > atomic_inc(&qp->refcount); <-------------------------- > } else { > struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev; > unsigned n = qpn_hash(dev, qpn); > > for (qp = rcu_dereference(dev->qp_table[n]); qp; > qp = rcu_dereference(qp->next)) > if (qp->ibqp.qp_num == qpn) { > atomic_inc(&qp->refcount); <--------------------- > break; > } > } > rcu_read_unlock(); > return qp; > } > > Mike > ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() 2014-02-12 14:55 ` Paul E. McKenney @ 2014-02-12 14:57 ` Marciniszyn, Mike 2014-02-12 21:50 ` Paul E. McKenney 0 siblings, 1 reply; 5+ messages in thread From: Marciniszyn, Mike @ 2014-02-12 14:57 UTC (permalink / raw) To: paulmck@linux.vnet.ibm.com Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org BTW, I am considering eliminating the atomic_inc() in favor of widening the scope of the rcu lock expanse. Mike > -----Original Message----- > From: Paul E. McKenney [mailto:paulmck@linux.vnet.ibm.com] > Sent: Wednesday, February 12, 2014 9:56 AM > To: Marciniszyn, Mike > Cc: roland@kernel.org; Hefty, Sean; hal.rosenstock@gmail.com; linux- > rdma@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() > > On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote: > > > So what am I missing here? > > > > > > > The atomic increment of a reference count: > > Got it, thank you, apologies for the noise! > > Thanx, Paul > > > struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) { > > struct qib_qp *qp = NULL; > > > > rcu_read_lock(); > > if (unlikely(qpn <= 1)) { > > if (qpn == 0) > > qp = rcu_dereference(ibp->qp0); > > else > > qp = rcu_dereference(ibp->qp1); > > if (qp) > > atomic_inc(&qp->refcount); <-------------------------- > > } else { > > struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev; > > unsigned n = qpn_hash(dev, qpn); > > > > for (qp = rcu_dereference(dev->qp_table[n]); qp; > > qp = rcu_dereference(qp->next)) > > if (qp->ibqp.qp_num == qpn) { > > atomic_inc(&qp->refcount); <--------------------- > > break; > > } > > } > > rcu_read_unlock(); > > return qp; > > } > > > > Mike > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() 2014-02-12 14:57 ` Marciniszyn, Mike @ 2014-02-12 21:50 ` Paul E. McKenney 0 siblings, 0 replies; 5+ messages in thread From: Paul E. McKenney @ 2014-02-12 21:50 UTC (permalink / raw) To: Marciniszyn, Mike Cc: roland@kernel.org, Hefty, Sean, hal.rosenstock@gmail.com, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org On Wed, Feb 12, 2014 at 02:57:14PM +0000, Marciniszyn, Mike wrote: > BTW, I am considering eliminating the atomic_inc() in favor of widening the scope of the rcu lock expanse. As long as the newly included code doesn't block, that should work fine. (If it does block, another option is SRCU.) Thanx, Paul > Mike > > > -----Original Message----- > > From: Paul E. McKenney [mailto:paulmck@linux.vnet.ibm.com] > > Sent: Wednesday, February 12, 2014 9:56 AM > > To: Marciniszyn, Mike > > Cc: roland@kernel.org; Hefty, Sean; hal.rosenstock@gmail.com; linux- > > rdma@vger.kernel.org; linux-kernel@vger.kernel.org > > Subject: Re: qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() > > > > On Wed, Feb 12, 2014 at 01:59:30PM +0000, Marciniszyn, Mike wrote: > > > > So what am I missing here? > > > > > > > > > > The atomic increment of a reference count: > > > > Got it, thank you, apologies for the noise! > > > > Thanx, Paul > > > > > struct qib_qp *qib_lookup_qpn(struct qib_ibport *ibp, u32 qpn) { > > > struct qib_qp *qp = NULL; > > > > > > rcu_read_lock(); > > > if (unlikely(qpn <= 1)) { > > > if (qpn == 0) > > > qp = rcu_dereference(ibp->qp0); > > > else > > > qp = rcu_dereference(ibp->qp1); > > > if (qp) > > > atomic_inc(&qp->refcount); <-------------------------- > > > } else { > > > struct qib_ibdev *dev = &ppd_from_ibp(ibp)->dd->verbs_dev; > > > unsigned n = qpn_hash(dev, qpn); > > > > > > for (qp = rcu_dereference(dev->qp_table[n]); qp; > > > qp = rcu_dereference(qp->next)) > > > if (qp->ibqp.qp_num == qpn) { > > > atomic_inc(&qp->refcount); <--------------------- > > > break; > > > } > > > } > > > rcu_read_unlock(); > > > return qp; > > > } > > > > > > Mike > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-02-12 21:50 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-02-12 0:35 qib_lookup_qpn() appears to leak pointer out of rcu_read_unlock() Paul E. McKenney 2014-02-12 13:59 ` Marciniszyn, Mike 2014-02-12 14:55 ` Paul E. McKenney 2014-02-12 14:57 ` Marciniszyn, Mike 2014-02-12 21:50 ` Paul E. McKenney
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox