Hi Jason,
You've added a rather, er, "innovative" user of the radix tree recently
in drivers/infiniband/core/uverbs_ioctl.c. Unfortunately I think it
can dereference freed memory like so:
CPU A:
srcu_key = srcu_read_lock(&file->device->disassociate_srcu);
err = ib_uverbs_cmd_verbs(file, &hdr, user_hdr->attrs);
->
slot = radix_tree_iter_lookup(
&uapi->radix, &attrs_iter,
uapi_key_obj(hdr->object_id) |
uapi_key_ioctl_method(hdr->method_id));
CPU B:
radix_tree_for_each_slot (slot, &uapi->radix, &iter, 0) {
kfree(rcu_dereference_protected(*slot, true));
radix_tree_iter_delete(&uapi->radix, &iter, slot);
}
radix_tree_iter_delete() ends up calling radix_tree_node_free()
which does a call_rcu(&node->rcu_head, radix_tree_node_rcu_free)
You're holding an srcu_read_lock(), not an rcu_read_lock(), so
as far as RCU is concerned, you're not within a grace period, and
it doesn't need to wait for you.
I'm _really_ not a fan of the way you pull various things out of the
radix_tree_iter and keep references to them in the pbundle. Can we
figure out a better way to do this? I don't have a clear picture of
your requirements at this stage.
