projects / platform / kernel / linux-rpi3.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5407f53)
IB/rxe: Wait for tasklets to finish before tearing down QP
authorAndrew Boyer <andrew.boyer@dell.com>
Mon, 5 Dec 2016 13:43:20 +0000 (08:43 -0500)
committerDoug Ledford <dledford@redhat.com>
Mon, 12 Dec 2016 21:31:45 +0000 (16:31 -0500)
The system may crash when a malformed request is received and
the error is detected by the responder.

NodeA: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 50000
NodeB: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 1024 <NodeA_ip>

The responder generates a receive error on node B since the incoming
SEND is oversized. If the client tears down the QP before the responder
or the completer finish running, a page fault may occur.

The fix makes the destroy operation spin until the tasks complete, which
appears to be original intent of the design.

Signed-off-by: Andrew Boyer <andrew.boyer@dell.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/sw/rxe/rxe_task.c patch | blob | history
drivers/infiniband/sw/rxe/rxe_task.h patch | blob | history

diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c
index 1e19bf8..d2a14a1 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_task.c
+++ b/drivers/infiniband/sw/rxe/rxe_task.c
@@ -121,6 +121,7 @@ int rxe_init_task(void *obj, struct rxe_task *task,
        task->arg       = arg;
        task->func      = func;
        snprintf(task->name, sizeof(task->name), "%s", name);
+       task->destroyed = false;
 
        tasklet_init(&task->tasklet, rxe_do_task, (unsigned long)task);
 
@@ -132,11 +133,29 @@ int rxe_init_task(void *obj, struct rxe_task *task,
 
 void rxe_cleanup_task(struct rxe_task *task)
 {
+       unsigned long flags;
+       bool idle;
+
+       /*
+        * Mark the task, then wait for it to finish. It might be
+        * running in a non-tasklet (direct call) context.
+        */
+       task->destroyed = true;
+
+       do {
+               spin_lock_irqsave(&task->state_lock, flags);
+               idle = (task->state == TASK_STATE_START);
+               spin_unlock_irqrestore(&task->state_lock, flags);
+       } while (!idle);
+
        tasklet_kill(&task->tasklet);
 }
 
 void rxe_run_task(struct rxe_task *task, int sched)
 {
+       if (task->destroyed)
+               return;
+
        if (sched)
                tasklet_schedule(&task->tasklet);
        else
diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h
index d14aa6d..08ff42d 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_task.h
+++ b/drivers/infiniband/sw/rxe/rxe_task.h
@@ -54,6 +54,7 @@ struct rxe_task {
        int                     (*func)(void *arg);
        int                     ret;
        char                    name[16];
+       bool                    destroyed;
 };
 
 /*
Domain: System / Kernel; Licenses: GPL-2.0;