diff mbox

[for-next,V4,1/5] IB/uverbs: Fix reference counting usage of event files

Message ID 1434027414-711-2-git-send-email-yishaih@mellanox.com (mailing list archive)
State Superseded
Headers show

Commit Message

Yishai Hadas June 11, 2015, 12:56 p.m. UTC 
Fix the reference counting usage to be handled in the event file
creation/destruction function, instead of being done by the caller.
This is done for both async/non-async event files.

Based on Jason Gunthorpe report at https://www.mail-archive.com/
linux-rdma@vger.kernel.org/msg24680.html:
"The existing code for this is broken, in ib_uverbs_get_context all
the error paths between ib_uverbs_alloc_event_file and the
kref_get(file->ref) are wrong - this will result in fput() which will
call ib_uverbs_event_close, which will try to do kref_put and
ib_unregister_event_handler - which are no longer paired."

Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Shachar Raindel <raindel@mellanox.com>
---
 drivers/infiniband/core/uverbs_cmd.c  |    9 ---------
 drivers/infiniband/core/uverbs_main.c |   26 ++++++++++++++++++++++----
 2 files changed, 22 insertions(+), 13 deletions(-)

Comments

Jason Gunthorpe June 11, 2015, 5:08 p.m. UTC | #1 
On Thu, Jun 11, 2015 at 03:56:50PM +0300, Yishai Hadas wrote:
>  
> -	file->async_file = filp->private_data;
> -
> -	INIT_IB_EVENT_HANDLER(&file->event_handler, file->device->ib_dev,
> -			      ib_uverbs_event_handler);
> -	ret = ib_register_event_handler(&file->event_handler);
> -	if (ret)
> -		goto err_file;
> -
>  	kref_get(&file->async_file->ref);

This kref_get should be placed next to the assignment:

> +	if (is_async) {
> +		uverbs_file->async_file = ev_file;

Here

Also, I'd say it should really be:

	if (is_async) {
	        BUG_ON(uverbs_file->async_file);
		uverbs_file->async_file = ev_file;
		kref_get(&uverbs_file->async_file->ref);

and can you prove the BUG_ON never hits?

It looks to me like a little more error unwind is necessary to
guarantee that. ie ib_uverbs_get_context uses ucontext to create that
invariant, but it sets ucontext last, so async file must be left null
if ib_uverbs_alloc_event_file fails.

Otherwise it looks OK to me.

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index a9f0489..0bbab72 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -367,16 +367,7 @@  ssize_t ib_uverbs_get_context(struct ib_uverbs_file *file,
 		goto err_file;
 	}
 
-	file->async_file = filp->private_data;
-
-	INIT_IB_EVENT_HANDLER(&file->event_handler, file->device->ib_dev,
-			      ib_uverbs_event_handler);
-	ret = ib_register_event_handler(&file->event_handler);
-	if (ret)
-		goto err_file;
-
 	kref_get(&file->async_file->ref);
-	kref_get(&file->ref);
 	file->ucontext = ucontext;
 
 	fd_install(resp.async_fd, filp);
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 88cce9b..882d24d 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -405,10 +405,9 @@  static int ib_uverbs_event_close(struct inode *inode, struct file *filp)
 	}
 	spin_unlock_irq(&file->lock);
 
-	if (file->is_async) {
+	if (file->is_async)
 		ib_unregister_event_handler(&file->uverbs_file->event_handler);
-		kref_put(&file->uverbs_file->ref, ib_uverbs_release_file);
-	}
+	kref_put(&file->uverbs_file->ref, ib_uverbs_release_file);
 	kref_put(&file->ref, ib_uverbs_release_event_file);
 
 	return 0;
@@ -545,6 +544,7 @@  struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file,
 {
 	struct ib_uverbs_event_file *ev_file;
 	struct file *filp;
+	int ret;
 
 	ev_file = kmalloc(sizeof *ev_file, GFP_KERNEL);
 	if (!ev_file)
@@ -562,8 +562,26 @@  struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file,
 	filp = anon_inode_getfile("[infinibandevent]", &uverbs_event_fops,
 				  ev_file, O_RDONLY);
 	if (IS_ERR(filp))
-		kfree(ev_file);
+		goto err;
 
+	if (is_async) {
+		uverbs_file->async_file = ev_file;
+		INIT_IB_EVENT_HANDLER(&uverbs_file->event_handler,
+				      uverbs_file->device->ib_dev,
+				      ib_uverbs_event_handler);
+		ret = ib_register_event_handler(&uverbs_file->event_handler);
+		if (ret)
+			goto put_file;
+	}
+
+	kref_get(&uverbs_file->ref);
+	return filp;
+
+put_file:
+	fput(filp);
+	filp = ERR_PTR(ret);
+err:
+	kfree(ev_file);
 	return filp;
 }