tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net/rds: Fix MR reference counting problem

In rds_free_mr(), it calls rds_destroy_mr(mr) directly. But this
defeats the purpose of reference counting and makes MR free handling
impossible. It means that holding a reference does not guarantee that
it is safe to access some fields. For example, In
rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
calls mr->r_trans->sync_mr(). But if rds_free_mr() (and
rds_destroy_mr()) is called in between (there is no lock preventing
this to happen), r_trans_private is set to NULL, causing a panic.
Similar issue is in rds_rdma_unuse().

Reported-by: zerons <sironhide0null@gmail.com>
Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Ka-Cheong Poon and committed by
David S. Miller 2fabef4f e228a5d0

+12 -21
+12 -13
net/rds/rdma.c
··· 101 101 rdsdebug("RDS: destroy mr key is %x refcnt %u\n", 102 102 mr->r_key, kref_read(&mr->r_kref)); 103 103 104 - if (test_and_set_bit(RDS_MR_DEAD, &mr->r_state)) 105 - return; 106 - 107 104 spin_lock_irqsave(&rs->rs_rdma_lock, flags); 108 105 if (!RB_EMPTY_NODE(&mr->r_rb_node)) 109 106 rb_erase(&mr->r_rb_node, &rs->rs_rdma_keys); ··· 139 142 rb_erase(&mr->r_rb_node, &rs->rs_rdma_keys); 140 143 RB_CLEAR_NODE(&mr->r_rb_node); 141 144 spin_unlock_irqrestore(&rs->rs_rdma_lock, flags); 142 - rds_destroy_mr(mr); 143 145 kref_put(&mr->r_kref, __rds_put_mr_final); 144 146 spin_lock_irqsave(&rs->rs_rdma_lock, flags); 145 147 } ··· 432 436 if (!mr) 433 437 return -EINVAL; 434 438 435 - /* 436 - * call rds_destroy_mr() ourselves so that we're sure it's done by the time 437 - * we return. If we let rds_mr_put() do it it might not happen until 438 - * someone else drops their ref. 439 - */ 440 - rds_destroy_mr(mr); 441 439 kref_put(&mr->r_kref, __rds_put_mr_final); 442 440 return 0; 443 441 } ··· 456 466 return; 457 467 } 458 468 469 + /* Get a reference so that the MR won't go away before calling 470 + * sync_mr() below. 471 + */ 472 + kref_get(&mr->r_kref); 473 + 474 + /* If it is going to be freed, remove it from the tree now so 475 + * that no other thread can find it and free it. 476 + */ 459 477 if (mr->r_use_once || force) { 460 478 rb_erase(&mr->r_rb_node, &rs->rs_rdma_keys); 461 479 RB_CLEAR_NODE(&mr->r_rb_node); ··· 477 479 if (mr->r_trans->sync_mr) 478 480 mr->r_trans->sync_mr(mr->r_trans_private, DMA_FROM_DEVICE); 479 481 482 + /* Release the reference held above. */ 483 + kref_put(&mr->r_kref, __rds_put_mr_final); 484 + 480 485 /* If the MR was marked as invalidate, this will 481 486 * trigger an async flush. */ 482 - if (zot_me) { 483 - rds_destroy_mr(mr); 487 + if (zot_me) 484 488 kref_put(&mr->r_kref, __rds_put_mr_final); 485 - } 486 489 } 487 490 488 491 void rds_rdma_free_op(struct rm_rdma_op *ro)
-8
net/rds/rds.h
··· 299 299 unsigned int r_invalidate:1; 300 300 unsigned int r_write:1; 301 301 302 - /* This is for RDS_MR_DEAD. 303 - * It would be nice & consistent to make this part of the above 304 - * bit field here, but we need to use test_and_set_bit. 305 - */ 306 - unsigned long r_state; 307 302 struct rds_sock *r_sock; /* back pointer to the socket that owns us */ 308 303 struct rds_transport *r_trans; 309 304 void *r_trans_private; 310 305 }; 311 - 312 - /* Flags for mr->r_state */ 313 - #define RDS_MR_DEAD 0 314 306 315 307 static inline rds_rdma_cookie_t rds_rdma_make_cookie(u32 r_key, u32 offset) 316 308 {