[PATCH] staging/rdma/hfi1: fix pio progress routine race with allocator

public inbox for linux-next@vger.kernel.org 
 help / color / mirror / Atom feed

From: Mike Marciniszyn <mike.marciniszyn@intel•com>
To: devel@driverdev•osuosl.org
Cc: linux-rdma@vger•kernel.org, dledford@redhat•com,
	linux-next@vger•kernel.org
Subject: [PATCH] staging/rdma/hfi1: fix pio progress routine race with allocator
Date: Thu, 03 Dec 2015 14:34:18 -0500	[thread overview]
Message-ID: <20151203193417.12617.62289.stgit@phlsvslse11.ph.intel.com> (raw)

The allocation code assumes that the shadow ring cannot
be overrun because the credits will limit the allocation.

Unfortuately, the progress mechanism in sc_release_update() updates
the free count prior to processing the shadow ring, allowing the
shadow ring to be overrun by an allocation.

Reviewed-by: Mark Debbage <mark.debbage@intel•com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel•com>
---
 drivers/staging/rdma/hfi1/pio.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/rdma/hfi1/pio.c b/drivers/staging/rdma/hfi1/pio.c
index eab58c1..8e10857 100644
--- a/drivers/staging/rdma/hfi1/pio.c
+++ b/drivers/staging/rdma/hfi1/pio.c
@@ -1565,6 +1565,7 @@ void sc_release_update(struct send_context *sc)
 	u64 hw_free;
 	u32 head, tail;
 	unsigned long old_free;
+	unsigned long free;
 	unsigned long extra;
 	unsigned long flags;
 	int code;
@@ -1579,7 +1580,7 @@ void sc_release_update(struct send_context *sc)
 	extra = (((hw_free & CR_COUNTER_SMASK) >> CR_COUNTER_SHIFT)
 			- (old_free & CR_COUNTER_MASK))
 				& CR_COUNTER_MASK;
-	sc->free = old_free + extra;
+	free = old_free + extra;
 	trace_hfi1_piofree(sc, extra);
 
 	/* call sent buffer callbacks */
@@ -1589,7 +1590,7 @@ void sc_release_update(struct send_context *sc)
 	while (head != tail) {
 		pbuf = &sc->sr[tail].pbuf;
 
-		if (sent_before(sc->free, pbuf->sent_at)) {
+		if (sent_before(free, pbuf->sent_at)) {
 			/* not sent yet */
 			break;
 		}
@@ -1603,8 +1604,10 @@ void sc_release_update(struct send_context *sc)
 		if (tail >= sc->sr_size)
 			tail = 0;
 	}
-	/* update tail, in case we moved it */
 	sc->sr_tail = tail;
+	/* make sure tail is updated before free */
+	smp_wmb();
+	sc->free = free;
 	spin_unlock_irqrestore(&sc->release_lock, flags);
 	sc_piobufavail(sc);
 }

                 reply	other threads:[~2015-12-03 19:34 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:eab58c1 dfblob:8e10857 )
 OR (
bs:"[PATCH] staging/rdma/hfi1: fix pio progress routine race with allocator" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151203193417.12617.62289.stgit@phlsvslse11.ph.intel.com \
    --to=mike.marciniszyn@intel$(echo .)com \
    --cc=devel@driverdev$(echo .)osuosl.org \
    --cc=dledford@redhat$(echo .)com \
    --cc=linux-next@vger$(echo .)kernel.org \
    --cc=linux-rdma@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox