linux/drivers/infiniband/hw
Jason Gunthorpe a862192e92 RDMA/mlx5: Prevent prefetch from racing with implicit destruction
Prefetch work in mlx5_ib_prefetch_mr_work can be queued and able to run
concurrently with destruction of the implicit MR. The num_deferred_work
was intended to serialize this, but there is a race:

       CPU0                                          CPU1

    mlx5_ib_free_implicit_mr()
      xa_erase(odp_mkeys)
      synchronize_srcu()
      __xa_erase(implicit_children)
                                      mlx5_ib_prefetch_mr_work()
                                        pagefault_mr()
                                         pagefault_implicit_mr()
                                          implicit_get_child_mr()
                                           xa_cmpxchg()
                                        atomic_dec_and_test(num_deferred_mr)
      wait_event(imr->q_deferred_work)
      ib_umem_odp_release(odp_imr)
        kfree(odp_imr)

At this point in mlx5_ib_free_implicit_mr() the implicit_children list is
supposed to be empty forever so that destroy_unused_implicit_child_mr()
and related are not and will not be running.

Since it is not empty the destroy_unused_implicit_child_mr() flow ends up
touching deallocated memory as mlx5_ib_free_implicit_mr() already tore down the
imr parent.

The solution is to flush out the prefetch wq by driving num_deferred_work
to zero after creation of new prefetch work is blocked.

Fixes: 5256edcb98 ("RDMA/mlx5: Rework implicit ODP destroy")
Link: https://lore.kernel.org/r/20200719065435.130722-1-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2020-07-21 13:51:35 -03:00
..
bnxt_re treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
cxgb4 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
efa RDMA/efa: Set maximum pkeys device attribute 2020-06-18 09:41:07 -03:00
hfi1 IB/hfi1: Do not destroy link_wq when the device is shut down 2020-07-02 13:54:50 -03:00
hns RDMA/hns: Fix wrong PBL offset when VA is not aligned to PAGE_SIZE 2020-07-16 09:55:01 -03:00
i40iw treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mlx4 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mlx5 RDMA/mlx5: Prevent prefetch from racing with implicit destruction 2020-07-21 13:51:35 -03:00
mthca treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ocrdma treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
qedr RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 2020-06-18 09:44:45 -03:00
qib treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
usnic treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vmw_pvrdma treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile RDMA/iw_cxgb3: Remove the iw_cxgb3 module from kernel 2019-10-04 15:08:59 -03:00