mirror of
https://github.com/torvalds/linux.git
synced 2024-11-30 08:01:59 +00:00
349d43127d
A crash occurs when smc_cdc_tx_handler() tries to access smc_sock
but smc_release() has already freed it.
[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88
[ 4570.696048] #PF: supervisor write access in kernel mode
[ 4570.696728] #PF: error_code(0x0002) - not-present page
[ 4570.697401] PGD 0 P4D 0
[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111
[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0
[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30
<...>
[ 4570.711446] Call Trace:
[ 4570.711746] <IRQ>
[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0
[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560
[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10
[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140
[ 4570.714083] __do_softirq+0x123/0x2f4
[ 4570.714521] irq_exit_rcu+0xc4/0xf0
[ 4570.714934] common_interrupt+0xba/0xe0
Though smc_cdc_tx_handler() checked the existence of smc connection,
smc_release() may have already dismissed and released the smc socket
before smc_cdc_tx_handler() further visits it.
smc_cdc_tx_handler() |smc_release()
if (!conn) |
|
|smc_cdc_tx_dismiss_slots()
| smc_cdc_tx_dismisser()
|
|sock_put(&smc->sk) <- last sock_put,
| smc_sock freed
bh_lock_sock(&smc->sk) (panic) |
To make sure we won't receive any CDC messages after we free the
smc_sock, add a refcount on the smc_connection for inflight CDC
message(posted to the QP but haven't received related CQE), and
don't release the smc_connection until all the inflight CDC messages
haven been done, for both success or failed ones.
Using refcount on CDC messages brings another problem: when the link
is going to be destroyed, smcr_link_clear() will reset the QP, which
then remove all the pending CQEs related to the QP in the CQ. To make
sure all the CQEs will always come back so the refcount on the
smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced
by smc_ib_modify_qp_error().
And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we
need to wait for all pending WQEs done, or we may encounter use-after-
free when handling CQEs.
For IB device removal routine, we need to wait for all the QPs on that
device been destroyed before we can destroy CQs on the device, or
the refcount on smc_connection won't reach 0 and smc_sock cannot be
released.
Fixes: 5f08318f61
("smc: connection data control (CDC)")
Reported-by: Wen Gu <guwen@linux.alibaba.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
140 lines
4.1 KiB
C
140 lines
4.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Shared Memory Communications over RDMA (SMC-R) and RoCE
|
|
*
|
|
* Work Requests exploiting Infiniband API
|
|
*
|
|
* Copyright IBM Corp. 2016
|
|
*
|
|
* Author(s): Steffen Maier <maier@linux.vnet.ibm.com>
|
|
*/
|
|
|
|
#ifndef SMC_WR_H
|
|
#define SMC_WR_H
|
|
|
|
#include <linux/atomic.h>
|
|
#include <rdma/ib_verbs.h>
|
|
#include <asm/div64.h>
|
|
|
|
#include "smc.h"
|
|
#include "smc_core.h"
|
|
|
|
#define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */
|
|
|
|
#define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ)
|
|
|
|
#define SMC_WR_TX_SIZE 44 /* actual size of wr_send data (<=SMC_WR_BUF_SIZE) */
|
|
|
|
#define SMC_WR_TX_PEND_PRIV_SIZE 32
|
|
|
|
struct smc_wr_tx_pend_priv {
|
|
u8 priv[SMC_WR_TX_PEND_PRIV_SIZE];
|
|
};
|
|
|
|
typedef void (*smc_wr_tx_handler)(struct smc_wr_tx_pend_priv *,
|
|
struct smc_link *,
|
|
enum ib_wc_status);
|
|
|
|
typedef bool (*smc_wr_tx_filter)(struct smc_wr_tx_pend_priv *,
|
|
unsigned long);
|
|
|
|
typedef void (*smc_wr_tx_dismisser)(struct smc_wr_tx_pend_priv *);
|
|
|
|
struct smc_wr_rx_handler {
|
|
struct hlist_node list; /* hash table collision resolution */
|
|
void (*handler)(struct ib_wc *, void *);
|
|
u8 type;
|
|
};
|
|
|
|
/* Only used by RDMA write WRs.
|
|
* All other WRs (CDC/LLC) use smc_wr_tx_send handling WR_ID implicitly
|
|
*/
|
|
static inline long smc_wr_tx_get_next_wr_id(struct smc_link *link)
|
|
{
|
|
return atomic_long_inc_return(&link->wr_tx_id);
|
|
}
|
|
|
|
static inline void smc_wr_tx_set_wr_id(atomic_long_t *wr_tx_id, long val)
|
|
{
|
|
atomic_long_set(wr_tx_id, val);
|
|
}
|
|
|
|
static inline bool smc_wr_tx_link_hold(struct smc_link *link)
|
|
{
|
|
if (!smc_link_sendable(link))
|
|
return false;
|
|
atomic_inc(&link->wr_tx_refcnt);
|
|
return true;
|
|
}
|
|
|
|
static inline void smc_wr_tx_link_put(struct smc_link *link)
|
|
{
|
|
if (atomic_dec_and_test(&link->wr_tx_refcnt))
|
|
wake_up_all(&link->wr_tx_wait);
|
|
}
|
|
|
|
static inline void smc_wr_wakeup_tx_wait(struct smc_link *lnk)
|
|
{
|
|
wake_up_all(&lnk->wr_tx_wait);
|
|
}
|
|
|
|
static inline void smc_wr_wakeup_reg_wait(struct smc_link *lnk)
|
|
{
|
|
wake_up(&lnk->wr_reg_wait);
|
|
}
|
|
|
|
/* post a new receive work request to fill a completed old work request entry */
|
|
static inline int smc_wr_rx_post(struct smc_link *link)
|
|
{
|
|
int rc;
|
|
u64 wr_id, temp_wr_id;
|
|
u32 index;
|
|
|
|
wr_id = ++link->wr_rx_id; /* tasklet context, thus not atomic */
|
|
temp_wr_id = wr_id;
|
|
index = do_div(temp_wr_id, link->wr_rx_cnt);
|
|
link->wr_rx_ibs[index].wr_id = wr_id;
|
|
rc = ib_post_recv(link->roce_qp, &link->wr_rx_ibs[index], NULL);
|
|
return rc;
|
|
}
|
|
|
|
int smc_wr_create_link(struct smc_link *lnk);
|
|
int smc_wr_alloc_link_mem(struct smc_link *lnk);
|
|
int smc_wr_alloc_lgr_mem(struct smc_link_group *lgr);
|
|
void smc_wr_free_link(struct smc_link *lnk);
|
|
void smc_wr_free_link_mem(struct smc_link *lnk);
|
|
void smc_wr_free_lgr_mem(struct smc_link_group *lgr);
|
|
void smc_wr_remember_qp_attr(struct smc_link *lnk);
|
|
void smc_wr_remove_dev(struct smc_ib_device *smcibdev);
|
|
void smc_wr_add_dev(struct smc_ib_device *smcibdev);
|
|
|
|
int smc_wr_tx_get_free_slot(struct smc_link *link, smc_wr_tx_handler handler,
|
|
struct smc_wr_buf **wr_buf,
|
|
struct smc_rdma_wr **wrs,
|
|
struct smc_wr_tx_pend_priv **wr_pend_priv);
|
|
int smc_wr_tx_get_v2_slot(struct smc_link *link,
|
|
smc_wr_tx_handler handler,
|
|
struct smc_wr_v2_buf **wr_buf,
|
|
struct smc_wr_tx_pend_priv **wr_pend_priv);
|
|
int smc_wr_tx_put_slot(struct smc_link *link,
|
|
struct smc_wr_tx_pend_priv *wr_pend_priv);
|
|
int smc_wr_tx_send(struct smc_link *link,
|
|
struct smc_wr_tx_pend_priv *wr_pend_priv);
|
|
int smc_wr_tx_v2_send(struct smc_link *link,
|
|
struct smc_wr_tx_pend_priv *priv, int len);
|
|
int smc_wr_tx_send_wait(struct smc_link *link, struct smc_wr_tx_pend_priv *priv,
|
|
unsigned long timeout);
|
|
void smc_wr_tx_cq_handler(struct ib_cq *ib_cq, void *cq_context);
|
|
void smc_wr_tx_dismiss_slots(struct smc_link *lnk, u8 wr_rx_hdr_type,
|
|
smc_wr_tx_filter filter,
|
|
smc_wr_tx_dismisser dismisser,
|
|
unsigned long data);
|
|
void smc_wr_tx_wait_no_pending_sends(struct smc_link *link);
|
|
|
|
int smc_wr_rx_register_handler(struct smc_wr_rx_handler *handler);
|
|
int smc_wr_rx_post_init(struct smc_link *link);
|
|
void smc_wr_rx_cq_handler(struct ib_cq *ib_cq, void *cq_context);
|
|
int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr);
|
|
|
|
#endif /* SMC_WR_H */
|