diff options
| author | Andrew Boyer <andrew.boyer@dell.com> | 2016-12-05 08:43:20 -0500 |
|---|---|---|
| committer | Doug Ledford <dledford@redhat.com> | 2016-12-12 16:31:45 -0500 |
| commit | 07bf9627d5f1c0334fc543a5435a31a3b5907944 (patch) | |
| tree | 92998cf99b917960295d2c9e1aa9be7cc9bb6b50 /drivers/infiniband/sw | |
| parent | 5407f530122aa63cf304eb0874c938b3bdb8d3fb (diff) | |
IB/rxe: Wait for tasklets to finish before tearing down QP
The system may crash when a malformed request is received and
the error is detected by the responder.
NodeA: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 50000
NodeB: $ ibv_rc_pingpong -g 0 -d rxe0 -i 1 -n 1 -s 1024 <NodeA_ip>
The responder generates a receive error on node B since the incoming
SEND is oversized. If the client tears down the QP before the responder
or the completer finish running, a page fault may occur.
The fix makes the destroy operation spin until the tasks complete, which
appears to be original intent of the design.
Signed-off-by: Andrew Boyer <andrew.boyer@dell.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to 'drivers/infiniband/sw')
| -rw-r--r-- | drivers/infiniband/sw/rxe/rxe_task.c | 19 | ||||
| -rw-r--r-- | drivers/infiniband/sw/rxe/rxe_task.h | 1 |
2 files changed, 20 insertions, 0 deletions
diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 1e19bf828a6e..d2a14a1bdc7f 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c | |||
| @@ -121,6 +121,7 @@ int rxe_init_task(void *obj, struct rxe_task *task, | |||
| 121 | task->arg = arg; | 121 | task->arg = arg; |
| 122 | task->func = func; | 122 | task->func = func; |
| 123 | snprintf(task->name, sizeof(task->name), "%s", name); | 123 | snprintf(task->name, sizeof(task->name), "%s", name); |
| 124 | task->destroyed = false; | ||
| 124 | 125 | ||
| 125 | tasklet_init(&task->tasklet, rxe_do_task, (unsigned long)task); | 126 | tasklet_init(&task->tasklet, rxe_do_task, (unsigned long)task); |
| 126 | 127 | ||
| @@ -132,11 +133,29 @@ int rxe_init_task(void *obj, struct rxe_task *task, | |||
| 132 | 133 | ||
| 133 | void rxe_cleanup_task(struct rxe_task *task) | 134 | void rxe_cleanup_task(struct rxe_task *task) |
| 134 | { | 135 | { |
| 136 | unsigned long flags; | ||
| 137 | bool idle; | ||
| 138 | |||
| 139 | /* | ||
| 140 | * Mark the task, then wait for it to finish. It might be | ||
| 141 | * running in a non-tasklet (direct call) context. | ||
| 142 | */ | ||
| 143 | task->destroyed = true; | ||
| 144 | |||
| 145 | do { | ||
| 146 | spin_lock_irqsave(&task->state_lock, flags); | ||
| 147 | idle = (task->state == TASK_STATE_START); | ||
| 148 | spin_unlock_irqrestore(&task->state_lock, flags); | ||
| 149 | } while (!idle); | ||
| 150 | |||
| 135 | tasklet_kill(&task->tasklet); | 151 | tasklet_kill(&task->tasklet); |
| 136 | } | 152 | } |
| 137 | 153 | ||
| 138 | void rxe_run_task(struct rxe_task *task, int sched) | 154 | void rxe_run_task(struct rxe_task *task, int sched) |
| 139 | { | 155 | { |
| 156 | if (task->destroyed) | ||
| 157 | return; | ||
| 158 | |||
| 140 | if (sched) | 159 | if (sched) |
| 141 | tasklet_schedule(&task->tasklet); | 160 | tasklet_schedule(&task->tasklet); |
| 142 | else | 161 | else |
diff --git a/drivers/infiniband/sw/rxe/rxe_task.h b/drivers/infiniband/sw/rxe/rxe_task.h index d14aa6daed05..08ff42d451c6 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.h +++ b/drivers/infiniband/sw/rxe/rxe_task.h | |||
| @@ -54,6 +54,7 @@ struct rxe_task { | |||
| 54 | int (*func)(void *arg); | 54 | int (*func)(void *arg); |
| 55 | int ret; | 55 | int ret; |
| 56 | char name[16]; | 56 | char name[16]; |
| 57 | bool destroyed; | ||
| 57 | }; | 58 | }; |
| 58 | 59 | ||
| 59 | /* | 60 | /* |