| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Apr 2023 02:18:24 +0000
From: "Zhijian Li (Fujitsu)" <lizhijian@...itsu.com>
To: Zhu Yanjun <yanjun.zhu@...ux.dev>,
Leon Romanovsky <leon@...nel.org>
CC: Guoqing Jiang <guoqing.jiang@...ux.dev>,
"haris.iqbal@...os.com" <haris.iqbal@...os.com>,
"jinpu.wang@...os.com" <jinpu.wang@...os.com>,
"jgg@...pe.ca" <jgg@...pe.ca>,
"linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH for-next 2/3] RDMA/rtrs: Fix rxe_dealloc_pd warning
On 14/04/2023 23:58, Zhu Yanjun wrote:
> 在 2023/4/13 21:24, Leon Romanovsky 写道:
>> On Thu, Apr 13, 2023 at 08:12:15AM +0000, Zhijian Li (Fujitsu) wrote:
>>>
>>>
>>> On 13/04/2023 15:35, Guoqing Jiang wrote:
>>>> Hi,
>>>>
>>>> I take a closer look today.
>>>>
>>>> On 4/12/23 09:15, Zhijian Li (Fujitsu) wrote:
>>>>>
>>>>> On 11/04/2023 20:26, Leon Romanovsky wrote:
>>>>>> On Tue, Apr 11, 2023 at 02:43:46AM +0000, Zhijian Li (Fujitsu) wrote:
>>>>>>>
>>>>>>> On 10/04/2023 21:10, Guoqing Jiang wrote:
>>>>>>>>
>>>>>>>> On 4/10/23 20:08, Leon Romanovsky wrote:
>>>>>>>>> On Mon, Apr 10, 2023 at 06:43:03AM +0000, Li Zhijian wrote:
>>>>>>>>>> The warning occurs when destroying PD whose reference count is not zero.
>>>>>>>>>>
>>>>>>>>>> Precodition: clt_path->s.con_num is 2.
>>>>>>>>>> So 2 cm connection will be created as below:
>>>>>>>>>> CPU0 CPU1
>>>>>>>>>> init_conns { |
>>>>>>>>>> create_cm() // a. con[0] created |
>>>>>>>>>> | a'. rtrs_clt_rdma_cm_handler() {
>>>>>>>>>> | rtrs_rdma_addr_resolved()
>>>>>>>>>> | create_con_cq_qp(con); << con[0]
>>>>>>>>>> | }
>>>>>>>>>> | in this moment, refcnt of PD was increased to 2+
>>>>
>>>> What do you mean "refcnt of PD"? usecnt in struct ib_pd or dev_ref.
>>>
>>> I mean usecnt in struct ib_pd
>>>
>>>
>>>
>>>>
>>>>>>>>>> |
>>>>>>>>>> create_cm() // b. cid = 1, failed |
>>>>>>>>>> destroy_con_cq_qp() |
>>>>>>>>>> rtrs_ib_dev_put() |
>>>>>>>>>> dev_free() |
>>>>>>>>>> ib_dealloc_pd(dev->ib_pd) << PD |
>>>>>>>>>> is destroyed, but refcnt is |
>>>>>>>>>> still greater than 0 |
>>>>
>>>> Assuming you mean "pd->usecnt". We only allocate pd in con[0] by rtrs_ib_dev_find_or_add,
>>>> if con[1] failed to create cm, then alloc_path_reqs -> ib_alloc_mr -> atomic_inc(&pd->usecnt)
>>>> can't be triggered. Is there other places could increase the refcnt?
>>>
>>>
>>> Yes, when create a qp, it will also associate to this PD, that also mean refcnt of PD will be increased.
>>>
>>> When con[0](create_con_cq_qp) succeeded, refcnt of PD will be 2. and then when con[1] failed, since
>>> QP didn't create, refcnt of PD is still 2. con[1]'s cleanup will destroy the PD(ib_dealloc_pd) since dev_ref = 1, after that its
>>> refcnt is still 1.
>>
>> Why is refcnt 1 in con[1] destruction phase? It seems to me like a bug.
> + if (!con->has_dev)
> + return;
> if (clt_path->s.dev_ref && !--clt_path->s.dev_ref) {
> rtrs_ib_dev_put(clt_path->s.dev);
> clt_path->s.dev = NULL;
Currently, without this patch:
1. PD and clt_path->s.dev are shared among connections.
2. every con[n]'s cleanup phase will call destroy_con_cq_qp()
3. clt_path->s.dev will be always decreased in destroy_con_cq_qp(), and when
clt_path->s.dev become zero, it will destroy PD.
4. when con[1] failed to create, con[1] will not take clt_path->s.dev, but it try to decreased clt_path->s.dev <<< it's wrong to do that.
Thanks
Zhijian
> Agree. We should find out why refcnt 1 and fix this problem.
>
> Zhu Yanjun
>>
>> Thanks
>
Powered by blists - more mailing lists