On 8/21/2018 4:01 PM, Steve Wise wrote:
> Hey RDMAers,
>
> I see that a uverbs completion event is added to the ev_queue event_list
> as well as the associated uobject comp_list in ib_uverbs_comp_handler():
>
> list_add_tail(&entry->list, &ev_queue->event_list);
> list_add_tail(&entry->obj_list, &uobj->comp_list);
> spin_unlock_irqrestore(&ev_queue->lock, flags);
>
>
> But in ib_uverbs_comp_event_close(), it looks like the entry could be
> left on the uobj comp_list and then the event structure is freed!
>
>
> list_for_each_entry_safe(entry, tmp, &file->ev_queue.event_list,
> list) {
> if (entry->counter)
> list_del(&entry->obj_list);
> kfree(entry);
> }
>
>
> Is this a bug?
>
> I ask because I'm chasing a "double add" error logged in
> ib_uverbs_comp_handler(), when enabling CONFIG_DEBUG_LIST...
>
> Steve.
>
Maybe this is a fix? Don't add it to the ubj list of there is no counter...
diff --git a/drivers/infiniband/core/uverbs_main.c
b/drivers/infiniband/core/uverbs_main.c
index 2094d136513d..e352b1759c08 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -482,7 +482,8 @@ void ib_uverbs_comp_handler(struct ib_cq *cq, void
*cq_context)
entry->counter = &uobj->comp_events_reported;
list_add_tail(&entry->list, &ev_queue->event_list);
- list_add_tail(&entry->obj_list, &uobj->comp_list);
+ if (entry->counter)
+ list_add_tail(&entry->obj_list, &uobj->comp_list);
spin_unlock_irqrestore(&ev_queue->lock, flags);
wake_up_interruptible(&ev_queue->poll_wait);
