This is a note to let you know that I've just added the patch titled RDMA/rxe: Fix a race condition related to the QP error state to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: rdma-rxe-fix-a-race-condition-related-to-the-qp-error-state.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 6f301e06de4cf9ab7303f5acd43e64fcd4aa04be Mon Sep 17 00:00:00 2001 From: Bart Van Assche <bart.vanassche@xxxxxxx> Date: Tue, 9 Jan 2018 11:23:40 -0800 Subject: RDMA/rxe: Fix a race condition related to the QP error state From: Bart Van Assche <bart.vanassche@xxxxxxx> commit 6f301e06de4cf9ab7303f5acd43e64fcd4aa04be upstream. The following sequence: * Change queue pair state into IB_QPS_ERR. * Post a work request on the queue pair. Triggers the following race condition in the rdma_rxe driver: * rxe_qp_error() triggers an asynchronous call of rxe_completer(), the function that examines the QP send queue. * rxe_post_send() posts a work request on the QP send queue. If rxe_completer() runs prior to rxe_post_send(), it will drain the send queue and the driver will assume no further action is necessary. However, once we post the send to the send queue, because the queue is in error, no send completion will ever happen and the send will get stuck. In order to process the send, we need to make sure that rxe_completer() gets run after a send is posted to a queue pair in an error state. This patch ensures that happens. Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxx> Cc: Moni Shoua <monis@xxxxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> # v4.8 Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/infiniband/sw/rxe/rxe_verbs.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/infiniband/sw/rxe/rxe_verbs.c +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c @@ -814,6 +814,8 @@ static int rxe_post_send_kernel(struct r (queue_count(qp->sq.queue) > 1); rxe_run_task(&qp->req.task, must_sched); + if (unlikely(qp->req.state == QP_STATE_ERROR)) + rxe_run_task(&qp->comp.task, 1); return err; } Patches currently in stable-queue which might be from bart.vanassche@xxxxxxx are queue-4.15/ib-core-fix-two-kernel-warnings-triggered-by-rxe-registration.patch queue-4.15/rdma-rxe-fix-a-race-condition-in-rxe_requester.patch queue-4.15/rdma-rxe-fix-rxe_qp_cleanup.patch queue-4.15/rdma-rxe-fix-a-race-condition-related-to-the-qp-error-state.patch