• Jack Morgenstein's avatar
    net/mlx4_core: Fix racy CQ (Completion Queue) free · c46100f4
    Jack Morgenstein authored
    BugLink: http://bugs.launchpad.net/bugs/1650058
    
    In function mlx4_cq_completion() and mlx4_cq_event(), the
    radix_tree_lookup requires a rcu_read_lock.
    This is mandatory: if another core frees the CQ, it could
    run the radix_tree_node_rcu_free() call_rcu() callback while
    its being used by the radix tree lookup function.
    
    Additionally, in function mlx4_cq_event(), since we are adding
    the rcu lock around the radix-tree lookup, we no longer need to take
    the spinlock. Also, the synchronize_irq() call for the async event
    eliminates the need for incrementing the cq reference count in
    mlx4_cq_event().
    
    Other changes:
    1. In function mlx4_cq_free(), replace spin_lock_irq with spin_lock:
       we no longer take this spinlock in the interrupt context.
       The spinlock here, therefore, simply protects against different
       threads simultaneously invoking mlx4_cq_free() for different cq's.
    
    2. In function mlx4_cq_free(), we move the radix tree delete to before
       the synchronize_irq() calls. This guarantees that we will not
       access this cq during any subsequent interrupts, and therefore can
       safely free the CQ after the synchronize_irq calls. The rcu_read_lock
       in the interrupt handlers only needs to protect against corrupting the
       radix tree; the interrupt handlers may access the cq outside the
       rcu_read_lock due to the synchronize_irq calls which protect against
       premature freeing of the cq.
    
    3. In function mlx4_cq_event(), we change the mlx_warn message to mlx4_dbg.
    
    4. We leave the cq reference count mechanism in place, because it is
       still needed for the cq completion tasklet mechanism.
    
    Fixes: 6d90aa5c ("net/mlx4_core: Make sure there are no pending async events when freeing CQ")
    Fixes: 225c7b1f ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
    Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
    Signed-off-by: default avatarMatan Barak <matanb@mellanox.com>
    Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    (cherry picked from commit 291c566a)
    Signed-off-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
    Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
    Acked-by: default avatarBrad Figg <brad.figg@canonical.com>
    Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
    c46100f4
cq.c 11.4 KB