| Message ID | 1480343844-8381-2-git-send-email-andrew.boyer@dell.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Mon, Nov 28, 2016 at 09:37:23AM -0500, Andrew Boyer wrote: > The system may crash when a malformed request is received and > the error is detected by the responder. > > NodeA: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 50000 > NodeB: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 1024 <NodeA_ip> > > The responder generates a receive error on node B since the incoming > SEND is oversized. If the client tears down the QP before the responder > or the completer finish running, a page fault may occur. > > The fix makes the destroy operation spin until the tasks complete, which > appears to be original intent of the design. > > Signed-off-by: Andrew Boyer <andrew.boyer@dell.com> > --- > drivers/infiniband/sw/rxe/rxe_task.c | 19 +++++++++++++++++++ > drivers/infiniband/sw/rxe/rxe_task.h | 1 + > 2 files changed, 20 insertions(+) > > diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c > index 1e19bf8..1e9a28f 100644 > --- a/drivers/infiniband/sw/rxe/rxe_task.c > +++ b/drivers/infiniband/sw/rxe/rxe_task.c > @@ -121,6 +121,7 @@ int rxe_init_task(void *obj, struct rxe_task *task, > task->arg = arg; > task->func = func; > snprintf(task->name, sizeof(task->name), "%s", name); > + task->destroyed = false; > > tasklet_init(&task->tasklet, rxe_do_task, (unsigned long)task); > > @@ -132,11 +133,29 @@ int rxe_init_task(void *obj, struct rxe_task *task, > > void rxe_cleanup_task(struct rxe_task *task) > { > + unsigned long flags; > + bool idle = false; The above initialization is not needed Besides that: Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> > + > + /* > + * Mark the task, then wait for it to finish. It might be > + * running in a non-tasklet (direct call) context. > + */ > + task->destroyed = true; > + > + do { > + spin_lock_irqsave(&task->state_lock, flags); > + idle = (task->state == TASK_STATE_START); > + spin_unlock_irqrestore(&task->state_lock, flags); > + } while (!idle); > + > tasklet_kill(&task->tasklet); > } > > void rxe_run_task(struct rxe_task *task, int sched) > { > + if (task->destroyed) > + return; > + > if (sched) > tasklet_schedule(&task->tasklet); > else > diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h > index d14aa6d..08ff42d 100644 > --- a/drivers/infiniband/sw/rxe/rxe_task.h > +++ b/drivers/infiniband/sw/rxe/rxe_task.h > @@ -54,6 +54,7 @@ struct rxe_task { > int (*func)(void *arg); > int ret; > char name[16]; > + bool destroyed; > }; > > /* > -- > 1.8.3.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 1e19bf8..1e9a28f 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c @@ -121,6 +121,7 @@ int rxe_init_task(void *obj, struct rxe_task *task, task->arg = arg; task->func = func; snprintf(task->name, sizeof(task->name), "%s", name); + task->destroyed = false; tasklet_init(&task->tasklet, rxe_do_task, (unsigned long)task); @@ -132,11 +133,29 @@ int rxe_init_task(void *obj, struct rxe_task *task, void rxe_cleanup_task(struct rxe_task *task) { + unsigned long flags; + bool idle = false; + + /* + * Mark the task, then wait for it to finish. It might be + * running in a non-tasklet (direct call) context. + */ + task->destroyed = true; + + do { + spin_lock_irqsave(&task->state_lock, flags); + idle = (task->state == TASK_STATE_START); + spin_unlock_irqrestore(&task->state_lock, flags); + } while (!idle); + tasklet_kill(&task->tasklet); } void rxe_run_task(struct rxe_task *task, int sched) { + if (task->destroyed) + return; + if (sched) tasklet_schedule(&task->tasklet); else diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h index d14aa6d..08ff42d 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.h +++ b/drivers/infiniband/sw/rxe/rxe_task.h @@ -54,6 +54,7 @@ struct rxe_task { int (*func)(void *arg); int ret; char name[16]; + bool destroyed; }; /*
The system may crash when a malformed request is received and the error is detected by the responder. NodeA: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 50000 NodeB: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 1024 <NodeA_ip> The responder generates a receive error on node B since the incoming SEND is oversized. If the client tears down the QP before the responder or the completer finish running, a page fault may occur. The fix makes the destroy operation spin until the tasks complete, which appears to be original intent of the design. Signed-off-by: Andrew Boyer <andrew.boyer@dell.com> --- drivers/infiniband/sw/rxe/rxe_task.c | 19 +++++++++++++++++++ drivers/infiniband/sw/rxe/rxe_task.h | 1 + 2 files changed, 20 insertions(+)