On Tue, Jun 09, 2020 at 03:54:12PM +0300, m.malygin@xxxxxxxxx wrote:
> From: Mikhail Malygin <m.malygin@xxxxxxxxx>
>
> rxe_post_send_kernel() iterates over linked list of wr's, until the wr->next ptr is NULL.
> However it we've got an interrupt after last wr is posted, control may be returned
> to the code after send completion callback is executed and wr memory is freed.
> As a result, wr->next pointer may contain incorrect value leading to panic.
>
> Signed-off-by: Mikhail Malygin <m.malygin@xxxxxxxxx>
> Signed-off-by: Sergey Kojushev <s.kojushev@xxxxxxxxx>
> drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
> index b8a22af724e8..a539b11b4f9b 100644
> +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
> @@ -684,6 +684,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
> unsigned int mask;
> unsigned int length = 0;
> int i;
> + struct ib_send_wr *next;
>
> while (wr) {
> mask = wr_opcode_mask(wr->opcode, qp);
> @@ -700,6 +701,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr,
> break;
> }
>
> + next = READ_ONCE(wr->next);
Why is this READ_ONCE? The wr list at this point cannot be allowed to
change
Jason
