From: zerons <sironhide0null@gmail.com>
To: linux-rdma@vger.kernel.org
Subject: Maybe a race condition in net/rds/rdma.c?
Date: Tue, 18 Feb 2020 21:13:57 +0800 [thread overview]
Message-ID: <afd9225d-5c43-8cc7-0eed-455837b53e10@gmail.com> (raw)
Hi, all
In net/rds/rdma.c
(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/rds/rdma.c?h=v5.5.3#n419),
there may be a race condition between rds_rdma_unuse() and rds_free_mr().
It seems that this one need some specific devices to run test,
unfortunately, I don't have any of these.
I've already sent two emails to the maintainer for help, no response yet,
(the email address may not be in use).
0) in rds_recv_incoming_exthdrs(), it calls rds_rdma_unuse() when receive an
extension header with force=0, if the victim mr does not have RDS_RDMA_USE_ONCE
flag set, then the mr would stay in the rbtree. Without any lock, it tries to
call mr->r_trans->sync_mr().
1) in rds_free_mr(), the same mr is found, and then freed. The mr->r_refcount
doesn't change while rds_mr_tree_walk().
0) back in rds_rdma_unuse(), the victim mr get used again, call
mr->r_trans->sync_mr().
Could this race condition actually happen?
Thank you.
next reply other threads:[~2020-02-18 13:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 13:13 zerons [this message]
2020-02-27 14:28 ` Maybe a race condition in net/rds/rdma.c? Håkon Bugge
2020-02-27 18:10 ` santosh.shilimkar
2020-03-06 12:11 ` zerons
2020-03-10 17:53 ` santosh.shilimkar
2020-03-11 4:48 ` zerons
2020-03-11 14:35 ` santosh.shilimkar
2020-03-12 8:58 ` zerons
2020-03-12 17:49 ` santosh.shilimkar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afd9225d-5c43-8cc7-0eed-455837b53e10@gmail.com \
--to=sironhide0null@gmail.com \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.