On 4/13/23 22:40, Guoqing Jiang wrote: > > > On 4/13/23 16:12, Zhijian Li (Fujitsu) wrote: >> On 13/04/2023 15:35, Guoqing Jiang wrote: >>> Hi, >>> >>> I take a closer look today. >>> >>> On 4/12/23 09:15, Zhijian Li (Fujitsu) wrote: >>>> On 11/04/2023 20:26, Leon Romanovsky wrote: >>>>> On Tue, Apr 11, 2023 at 02:43:46AM +0000, Zhijian Li (Fujitsu) wrote: >>>>>> On 10/04/2023 21:10, Guoqing Jiang wrote: >>>>>>> On 4/10/23 20:08, Leon Romanovsky wrote: >>>>>>>> On Mon, Apr 10, 2023 at 06:43:03AM +0000, Li Zhijian wrote: >>>>>>>>> The warning occurs when destroying PD whose reference count is not zero. >>>>>>>>> >>>>>>>>> Precodition: clt_path->s.con_num is 2. >>>>>>>>> So 2 cm connection will be created as below: >>>>>>>>> CPU0 CPU1 >>>>>>>>> init_conns { | >>>>>>>>> create_cm() // a. con[0] created | >>>>>>>>> | a'. rtrs_clt_rdma_cm_handler() { >>>>>>>>> | rtrs_rdma_addr_resolved() >>>>>>>>> | create_con_cq_qp(con); << con[0] >>>>>>>>> | } >>>>>>>>> | in this moment, refcnt of PD was increased to 2+ >>> What do you mean "refcnt of PD"? usecnt in struct ib_pd or dev_ref. >> I mean usecnt in struct ib_pd >> >> >> >>>>>>>>> | >>>>>>>>> create_cm() // b. cid = 1, failed | >>>>>>>>> destroy_con_cq_qp() | >>>>>>>>> rtrs_ib_dev_put() | >>>>>>>>> dev_free() | >>>>>>>>> ib_dealloc_pd(dev->ib_pd) << PD | >>>>>>>>> is destroyed, but refcnt is | >>>>>>>>> still greater than 0 | >>> Assuming you mean "pd->usecnt". We only allocate pd in con[0] by rtrs_ib_dev_find_or_add, >>> if con[1] failed to create cm, then alloc_path_reqs -> ib_alloc_mr -> atomic_inc(&pd->usecnt) > > The above can't be invoked, right? > >>> can't be triggered. Is there other places could increase the refcnt? >> Yes, when create a qp, it will also associate to this PD, that also mean refcnt of PD will be increased. >> >> When con[0](create_con_cq_qp) succeeded, refcnt of PD will be 2. and then when con[1] failed, since >> QP didn't create, refcnt of PD is still 2. con[1]'s cleanup will destroy the PD(ib_dealloc_pd) since dev_ref = 1, after that its >> refcnt is still 1. > > I can see the path increase usecnt to 1. > > rtrs_cq_qp_create -> create_qp > -> rdma_create_qp > -> ib_create_qp > -> create_qp > -> ib_qp_usecnt_inc which increases pd->usecnt > > Where is another place to increase usecnt to 2? > >>> Then what is the appropriate time to call destroy_con_cq_qp for this scenario? >>> Otherwise there could be memory leak. >> we must ensure QP in con[0] is closed before destroying the PD. >> Currently destroy_con_cq_qp() subroutine will close the opened QP first. > > Let me try another way, with below change, rtrs_ib_dev_put can't be called > from destroy_con_cq_qp, right? > > + if (!con->has_dev) > + return; > if (clt_path->s.dev_ref && !--clt_path->s.dev_ref) { > rtrs_ib_dev_put(clt_path->s.dev); > clt_path->s.dev = NULL; > > Then when will you dealloc pd and free rtrs_ib_dev? > > Thanks, > Guoqing I think that wondering into Leon's reference counting is a really bad idea. Currently the assumed rule is that rdma-core keeps its ref counts and rxe keeps its. rxe defers the return from rxe_dealloc_pd() until the rxe ref count drops to zero for that pd, sleeping if necessary. (There is a timeout value set where rxe will return anyway but it will throw a WARN. If the timeout isn't long enough under heavy load we could extend it.) If it doesn't happen, or it happens too soon, then there is a ref count bug in rxe that needs to be fixed. Fixing rxe ref count bugs is hard enough without entangling rdma-core ref counts into the mix. Bob