On Tue, Jun 09, 2020 at 03:54:12PM +0300, m.malygin@xxxxxxxxx wrote: > From: Mikhail Malygin <m.malygin@xxxxxxxxx> > > rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL. > However it we've got an interrupt after last wr is posted, control may be returned > to the code after send completion callback is executed and wr memory is freed. > As a result, wr->next pointer may contain incorrect value leading to panic. > > Signed-off-by: Mikhail Malygin <m.malygin@xxxxxxxxx> > Signed-off-by: Sergey Kojushev <s.kojushev@xxxxxxxxx> > drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c > index b8a22af724e8..a539b11b4f9b 100644 > +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c > @@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr, > unsigned int mask; > unsigned int length = 0; > int i; > + struct ib_send_wr *next; > > while (wr) { > mask = wr_opcode_mask(wr->opcode, qp); > @@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr, > break; > } > > + next = READ_ONCE(wr->next); Why is this READ_ONCE? The wr list at this point cannot be allowed to change Jason