Re: [PATCH] core/verb.c: fix kernel panic: always initialize struct ib_qp *qp->usecnt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hmm, I think we do have serious problem with the hole approach. While the patch works for the kernel side, there is a problem with user space libraries. So I monitored our daemons and noticed ibv_destroy_cq() failed. The reason again seems to be the same issue as already fixed for kernel qp's. So in __ibv_create_qp() (libibverbs/src/verbs.c):

__ibv_create_qp()

	struct ibv_qp *qp = pd->context->ops.create_qp(pd, qp_init_attr);

	if (qp) {
		qp->context    	     = pd->context;
		qp->qp_context 	     = qp_init_attr->qp_context;
		qp->pd         	     = pd;
		qp->send_cq    	     = qp_init_attr->send_cq;
[...]

I *guess* the qp allocated by pd->context->ops.create_qp() does not have qp->usecnt initialized (not does it know anything about it). So its random value will fail the destruction later. A simple workaround that would work for us, is to extend the patch I send to

diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index 602b1bd..fba1675 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -874,7 +874,7 @@ int ib_destroy_qp(struct ib_qp *qp)
        struct ib_srq *srq;
        int ret;

-       if (atomic_read(&qp->usecnt))
+       if (qp->qp_type == IB_QPT_XRC_TGT && atomic_read(&qp->usecnt))
                return -EBUSY;

        if (qp->real_qp != qp)



However, what is is with user space setting type to IB_QPT_XRC_TGT? I guess this could be solved by letting the kernel zero the memory returned by ->ops.create_qp(pd, qp_init_attr). Btw, I didn't figure out yet, how this translates at all in kernel space? Is this op directly going to the device driver?

But even if we are properly going to initialize the qp, what is with user space mischievously trying to crash the system by manipulating struct ib_qp *qp?


Thanks,
Bernd


--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Home]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Free Online Dating]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Devices]

Add to Google Powered by Linux