From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Mitko Haralanov <mitko.haralanov@intel.com>,
Mike Marciniszyn <mike.marciniszyn@intel.com>,
"Michael J. Ruhl" <michael.j.ruhl@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 19/61] IB/hfi1: Remove race conditions in user_sdma send path
Date: Thu, 20 Dec 2018 10:18:19 +0100 [thread overview]
Message-ID: <20181220085844.508001228@linuxfoundation.org> (raw)
In-Reply-To: <20181220085843.743900603@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
commit 28a9a9e83ceae2cee25b9af9ad20d53aaa9ab951 upstream
Packet queue state is over used to determine SDMA descriptor
availablitity and packet queue request state.
cpu 0 ret = user_sdma_send_pkts(req, pcount);
cpu 0 if (atomic_read(&pq->n_reqs))
cpu 1 IRQ user_sdma_txreq_cb calls pq_update() (state to _INACTIVE)
cpu 0 xchg(&pq->state, SDMA_PKT_Q_ACTIVE);
At this point pq->n_reqs == 0 and pq->state is incorrectly
SDMA_PKT_Q_ACTIVE. The close path will hang waiting for the state
to return to _INACTIVE.
This can also change the state from _DEFERRED to _ACTIVE. However,
this is a mostly benign race.
Remove the racy code path.
Use n_reqs to determine if a packet queue is active or not.
Cc: <stable@vger.kernel.org> # 4.9.0
Reviewed-by: Mitko Haralanov <mitko.haralanov@intel.com>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/user_sdma.c | 28 +++++++++-----------------
drivers/infiniband/hw/hfi1/user_sdma.h | 7 ++++++-
2 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
index 619475c7d761..4c111162d552 100644
--- a/drivers/infiniband/hw/hfi1/user_sdma.c
+++ b/drivers/infiniband/hw/hfi1/user_sdma.c
@@ -151,10 +151,6 @@ MODULE_PARM_DESC(sdma_comp_size, "Size of User SDMA completion ring. Default: 12
#define SDMA_REQ_HAVE_AHG 1
#define SDMA_REQ_HAS_ERROR 2
-#define SDMA_PKT_Q_INACTIVE BIT(0)
-#define SDMA_PKT_Q_ACTIVE BIT(1)
-#define SDMA_PKT_Q_DEFERRED BIT(2)
-
/*
* Maximum retry attempts to submit a TX request
* before putting the process to sleep.
@@ -408,7 +404,6 @@ int hfi1_user_sdma_alloc_queues(struct hfi1_ctxtdata *uctxt, struct file *fp)
pq->ctxt = uctxt->ctxt;
pq->subctxt = fd->subctxt;
pq->n_max_reqs = hfi1_sdma_comp_ring_size;
- pq->state = SDMA_PKT_Q_INACTIVE;
atomic_set(&pq->n_reqs, 0);
init_waitqueue_head(&pq->wait);
atomic_set(&pq->n_locked, 0);
@@ -491,7 +486,7 @@ int hfi1_user_sdma_free_queues(struct hfi1_filedata *fd)
/* Wait until all requests have been freed. */
wait_event_interruptible(
pq->wait,
- (ACCESS_ONCE(pq->state) == SDMA_PKT_Q_INACTIVE));
+ !atomic_read(&pq->n_reqs));
kfree(pq->reqs);
kfree(pq->req_in_use);
kmem_cache_destroy(pq->txreq_cache);
@@ -527,6 +522,13 @@ static u8 dlid_to_selector(u16 dlid)
return mapping[hash];
}
+/**
+ * hfi1_user_sdma_process_request() - Process and start a user sdma request
+ * @fp: valid file pointer
+ * @iovec: array of io vectors to process
+ * @dim: overall iovec array size
+ * @count: number of io vector array entries processed
+ */
int hfi1_user_sdma_process_request(struct file *fp, struct iovec *iovec,
unsigned long dim, unsigned long *count)
{
@@ -768,20 +770,12 @@ int hfi1_user_sdma_process_request(struct file *fp, struct iovec *iovec,
}
set_comp_state(pq, cq, info.comp_idx, QUEUED, 0);
+ pq->state = SDMA_PKT_Q_ACTIVE;
/* Send the first N packets in the request to buy us some time */
ret = user_sdma_send_pkts(req, pcount);
if (unlikely(ret < 0 && ret != -EBUSY))
goto free_req;
- /*
- * It is possible that the SDMA engine would have processed all the
- * submitted packets by the time we get here. Therefore, only set
- * packet queue state to ACTIVE if there are still uncompleted
- * requests.
- */
- if (atomic_read(&pq->n_reqs))
- xchg(&pq->state, SDMA_PKT_Q_ACTIVE);
-
/*
* This is a somewhat blocking send implementation.
* The driver will block the caller until all packets of the
@@ -1526,10 +1520,8 @@ static void user_sdma_txreq_cb(struct sdma_txreq *txreq, int status)
static inline void pq_update(struct hfi1_user_sdma_pkt_q *pq)
{
- if (atomic_dec_and_test(&pq->n_reqs)) {
- xchg(&pq->state, SDMA_PKT_Q_INACTIVE);
+ if (atomic_dec_and_test(&pq->n_reqs))
wake_up(&pq->wait);
- }
}
static void user_sdma_free_request(struct user_sdma_request *req, bool unpin)
diff --git a/drivers/infiniband/hw/hfi1/user_sdma.h b/drivers/infiniband/hw/hfi1/user_sdma.h
index 39001714f551..09dd843a13de 100644
--- a/drivers/infiniband/hw/hfi1/user_sdma.h
+++ b/drivers/infiniband/hw/hfi1/user_sdma.h
@@ -53,6 +53,11 @@
extern uint extended_psn;
+enum pkt_q_sdma_state {
+ SDMA_PKT_Q_ACTIVE,
+ SDMA_PKT_Q_DEFERRED,
+};
+
struct hfi1_user_sdma_pkt_q {
struct list_head list;
unsigned ctxt;
@@ -65,7 +70,7 @@ struct hfi1_user_sdma_pkt_q {
struct user_sdma_request *reqs;
unsigned long *req_in_use;
struct iowait busy;
- unsigned state;
+ enum pkt_q_sdma_state state;
wait_queue_head_t wait;
unsigned long unpinned;
struct mmu_rb_handler *handler;
--
2.19.1
next prev parent reply other threads:[~2018-12-20 9:18 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-20 9:18 [PATCH 4.9 00/61] 4.9.147-stable review Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 01/61] signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 02/61] lib/interval_tree_test.c: make test options module parameters Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 03/61] lib/interval_tree_test.c: allow full tree search Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 04/61] lib/rbtree_test.c: make input module parameters Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 05/61] lib/rbtree-test: lower default params Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 06/61] lib/interval_tree_test.c: allow users to limit scope of endpoint Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 07/61] timer/debug: Change /proc/timer_list from 0444 to 0400 Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 08/61] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 09/61] aio: fix spectre gadget in lookup_ioctx Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 10/61] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 11/61] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 12/61] tracing: Fix memory leak in set_trigger_filter() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 13/61] tracing: Fix memory leak of instance function hash filters Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 14/61] powerpc/msi: Fix NULL pointer access in teardown code Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 15/61] Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 16/61] drm/i915/execlists: Apply a full mb before execution for Braswell Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 17/61] mac80211: dont WARN on bad WMM parameters from buggy APs Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 18/61] mac80211: Fix condition validating WMM IE Greg Kroah-Hartman
2018-12-20 9:18 ` Greg Kroah-Hartman [this message]
2018-12-20 9:18 ` [PATCH 4.9 20/61] locking: Remove smp_read_barrier_depends() from queued_spin_lock_slowpath() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 21/61] locking/qspinlock: Ensure node is initialised before updating prev->next Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 22/61] locking/qspinlock: Bound spinning on pending->locked transition in slowpath Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 23/61] locking/qspinlock: Merge struct __qspinlock into struct qspinlock Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 24/61] locking/qspinlock: Remove unbounded cmpxchg() loop from locking slowpath Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 25/61] locking/qspinlock: Remove duplicate clear_pending() function from PV code Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 26/61] locking/qspinlock: Kill cmpxchg() loop when claiming lock from head of queue Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 27/61] locking/qspinlock: Re-order code Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 28/61] locking/qspinlock/x86: Increase _Q_PENDING_LOOPS upper bound Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 29/61] locking/qspinlock, x86: Provide liveness guarantee Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 30/61] locking/qspinlock: Fix build for anonymous union in older GCC compilers Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 31/61] mac80211_hwsim: fix module init error paths for netlink Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 32/61] scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 33/61] scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 34/61] x86/earlyprintk/efi: Fix infinite loop on some screen widths Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 35/61] drm/msm: Grab a vblank reference when waiting for commit_done Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 36/61] ARC: io.h: Implement reads{x}()/writes{x}() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 37/61] bonding: fix 802.3ad state sent to partner when unbinding slave Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 38/61] nfs: dont dirty kernel pages read by direct-io Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 39/61] SUNRPC: Fix a potential race in xprt_connect() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 40/61] sbus: char: add of_node_put() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 41/61] drivers/sbus/char: " Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 42/61] drivers/tty: add missing of_node_put() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 43/61] ide: pmac: add of_node_put() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 44/61] clk: mvebu: Off by one bugs in cp110_of_clk_get() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 45/61] clk: mmp: Off by one in mmp_clk_add() Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 46/61] Input: omap-keypad - fix keyboard debounce configuration Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 47/61] libata: whitelist all SAMSUNG MZ7KM* solid-state disks Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 48/61] mv88e6060: disable hardware level MAC learning Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 49/61] net/mlx4_en: Fix build break when CONFIG_INET is off Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 50/61] bpf: check pending signals while verifying programs Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 51/61] ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 52/61] ARM: 8815/1: V7M: align v7m_dma_inv_range() with v7 counterpart Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 53/61] ethernet: fman: fix wrong of_node_put() in probe function Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 54/61] drm/ast: Fix connector leak during driver unload Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 55/61] cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 56/61] vhost/vsock: fix reset orphans race with close timeout Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 57/61] i2c: axxia: properly handle master timeout Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 58/61] i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node Greg Kroah-Hartman
2018-12-20 9:18 ` [PATCH 4.9 59/61] nvmet-rdma: fix response use after free Greg Kroah-Hartman
2018-12-20 9:19 ` [PATCH 4.9 60/61] rtc: snvs: add a missing write sync Greg Kroah-Hartman
2018-12-20 9:19 ` [PATCH 4.9 61/61] rtc: snvs: Add timeouts to avoid kernel lockups Greg Kroah-Hartman
2018-12-20 15:00 ` [PATCH 4.9 00/61] 4.9.147-stable review Naresh Kamboju
2018-12-20 18:28 ` Guenter Roeck
2018-12-20 22:55 ` shuah
2018-12-21 9:25 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181220085844.508001228@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.j.ruhl@intel.com \
--cc=mike.marciniszyn@intel.com \
--cc=mitko.haralanov@intel.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).