commit fd60ae404f104f12369e654af9cf03b1f1047661 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

IB/uverbs: Avoid a crash on device hot remove

Wait until all users have closed their device context before allowing
device unregistration to complete. This prevents a crash caused by
referring to stale data structures.

A better solution would be to have a way to revoke contexts rather
than waiting for userspace to close the context, but that's a much
bigger change that will have to wait. For now let's at least avoid
the crash.

Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il>
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

authored by Jack Morgenstein and committed by Roland Dreier 19 years ago fd60ae40 8ddc7c53

+9 -1

2 changed files

expand all

unified split

drivers

infiniband

core

uverbs.h

uverbs_main.c

drivers/infiniband/core/uverbs.h

··· 42 #include <linux/kref.h> 43 #include <linux/idr.h> 44 #include <linux/mutex.h> 45 46 #include <rdma/ib_verbs.h> 47 #include <rdma/ib_user_verbs.h> ··· 70 71 struct ib_uverbs_device { 72 struct kref ref; 73 int devnum; 74 struct cdev *dev; 75 struct class_device *class_dev;

··· 42 #include <linux/kref.h> 43 #include <linux/idr.h> 44 #include <linux/mutex.h> 45 + #include <linux/completion.h> 46 47 #include <rdma/ib_verbs.h> 48 #include <rdma/ib_user_verbs.h> ··· 69 70 struct ib_uverbs_device { 71 struct kref ref; 72 + struct completion comp; 73 int devnum; 74 struct cdev *dev; 75 struct class_device *class_dev;

+7 -1

drivers/infiniband/core/uverbs_main.c

··· 122 struct ib_uverbs_device *dev = 123 container_of(ref, struct ib_uverbs_device, ref); 124 125 - kfree(dev); 126 } 127 128 void ib_uverbs_release_ucq(struct ib_uverbs_file *file, ··· 740 return; 741 742 kref_init(&uverbs_dev->ref); 743 744 spin_lock(&map_lock); 745 uverbs_dev->devnum = find_first_zero_bit(dev_map, IB_UVERBS_MAX_DEVICES); ··· 794 795 err: 796 kref_put(&uverbs_dev->ref, ib_uverbs_release_dev); 797 return; 798 } 799 ··· 815 spin_unlock(&map_lock); 816 817 clear_bit(uverbs_dev->devnum, dev_map); 818 kref_put(&uverbs_dev->ref, ib_uverbs_release_dev); 819 } 820 821 static int uverbs_event_get_sb(struct file_system_type *fs_type, int flags,

··· 122 struct ib_uverbs_device *dev = 123 container_of(ref, struct ib_uverbs_device, ref); 124 125 + complete(&dev->comp); 126 } 127 128 void ib_uverbs_release_ucq(struct ib_uverbs_file *file, ··· 740 return; 741 742 kref_init(&uverbs_dev->ref); 743 + init_completion(&uverbs_dev->comp); 744 745 spin_lock(&map_lock); 746 uverbs_dev->devnum = find_first_zero_bit(dev_map, IB_UVERBS_MAX_DEVICES); ··· 793 794 err: 795 kref_put(&uverbs_dev->ref, ib_uverbs_release_dev); 796 + wait_for_completion(&uverbs_dev->comp); 797 + kfree(uverbs_dev); 798 return; 799 } 800 ··· 812 spin_unlock(&map_lock); 813 814 clear_bit(uverbs_dev->devnum, dev_map); 815 + 816 kref_put(&uverbs_dev->ref, ib_uverbs_release_dev); 817 + wait_for_completion(&uverbs_dev->comp); 818 + kfree(uverbs_dev); 819 } 820 821 static int uverbs_event_get_sb(struct file_system_type *fs_type, int flags,