Re: [PATCH v2] ib_uverbs: atomically flush and mark closed the comp event queue

Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx> · Tue, 11 Sep 2018 16:20:50 -0500

Ignore the old date...

Jason, is this good to go?

Steve.

On 8/31/2018 9:16 AM, Steve Wise wrote:
> Currently a uverbs completion event queue is flushed of events in
> ib_uverbs_comp_event_close() with the queue spinlock held and then
> released.  Yet setting ev_queue->is_closed is not set until later in
> uverbs_hot_unplug_completion_event_file().
> 
> In between the time ib_uverbs_comp_event_close() releases the lock
> and uverbs_hot_unplug_completion_event_file() acquires the lock, a
> completion event can arrive and be inserted into the event queue by
> ib_uverbs_comp_handler().
> 
> This can cause a "double add" list_add warning or crash depending on
> the kernel configuration, or a memory leak because the event is never
> dequeued since the queue is already closed down.
> 
> So add setting ev_queue->is_closed = 1 to ib_uverbs_comp_event_close().
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 1e7710f3f656 ("IB/core: Change completion channel to use the reworked objects schema")
> Signed-off-by: Steve Wise <swise@xxxxxxxxxxxxxxxxxxxxx>
> ---
> 
> Changes since v1:
> 
> leave setting ev_queue.is_closed to 1 in
> uverbs_hot_unplug_completion_event_file().
> 
> ---
>  drivers/infiniband/core/uverbs_main.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
> index 823beca448e1..b3ef7db68bde 100644
> --- a/drivers/infiniband/core/uverbs_main.c
> +++ b/drivers/infiniband/core/uverbs_main.c
> @@ -440,6 +440,7 @@ static int ib_uverbs_comp_event_close(struct inode *inode, struct file *filp)
>  			list_del(&entry->obj_list);
>  		kfree(entry);
>  	}
> +	file->ev_queue.is_closed = 1;
>  	spin_unlock_irq(&file->ev_queue.lock);
>  
>  	uverbs_close_fd(filp);
> 