> On 18 Feb 2020, at 14:13, zerons <sironhide0null@xxxxxxxxx> wrote: > > Hi, all > > In net/rds/rdma.c > (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/rds/rdma.c?h=v5.5.3#n419), > there may be a race condition between rds_rdma_unuse() and rds_free_mr(). > > It seems that this one need some specific devices to run test, > unfortunately, I don't have any of these. > I've already sent two emails to the maintainer for help, no response yet, > (the email address may not be in use). > > 0) in rds_recv_incoming_exthdrs(), it calls rds_rdma_unuse() when receive an > extension header with force=0, if the victim mr does not have RDS_RDMA_USE_ONCE > flag set, then the mr would stay in the rbtree. Without any lock, it tries to > call mr->r_trans->sync_mr(). > > 1) in rds_free_mr(), the same mr is found, and then freed. The mr->r_refcount > doesn't change while rds_mr_tree_walk(). > > 0) back in rds_rdma_unuse(), the victim mr get used again, call > mr->r_trans->sync_mr(). > > Could this race condition actually happen? > > Thank you. Hi Peng, I will have someone to look at this one. Thanks for your report, Håkon
