Skip to content

Commit cf65726

Browse files
SantoshShilimkarSantoshShilimkar
committed
RDS: IB: fix panic due to handlers running post teardown
Shutdown code reaping loop takes care of emptying the CQ's before they being destroyed. And once tasklets are killed, the hanlders are not expected to run. But because of core tasklet code issues, tasklet handler could still run even after tasklet_kill, RDS IB shutdown code already reaps the CQs before freeing cq/qp resources so as such the handlers have nothing left to do post shutdown. On other hand any handler running after teardown and trying to access already freed qp/cq resources causes issues Patch fixes this race by makes sure that handlers returns without any action post teardown. Reviewed-by: Wengang <[email protected]> Signed-off-by: Santosh Shilimkar <[email protected]>
1 parent 941f8d5 commit cf65726

File tree

2 files changed

+13
-0
lines changed

2 files changed

+13
-0
lines changed

net/rds/ib.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,7 @@ struct rds_ib_connection {
185185

186186
/* Endpoint role in connection */
187187
bool i_active_side;
188+
atomic_t i_cq_quiesce;
188189

189190
/* Send/Recv vectors */
190191
int i_scq_vector;

net/rds/ib_cm.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,8 @@ void rds_ib_cm_connect_complete(struct rds_connection *conn, struct rdma_cm_even
128128
ic->i_flowctl ? ", flow control" : "");
129129
}
130130

131+
atomic_set(&ic->i_cq_quiesce, 0);
132+
131133
/* Init rings and fill recv. this needs to wait until protocol
132134
* negotiation is complete, since ring layout is different
133135
* from 3.1 to 4.1.
@@ -267,6 +269,10 @@ static void rds_ib_tasklet_fn_send(unsigned long data)
267269

268270
rds_ib_stats_inc(s_ib_tasklet_call);
269271

272+
/* if cq has been already reaped, ignore incoming cq event */
273+
if (atomic_read(&ic->i_cq_quiesce))
274+
return;
275+
270276
poll_scq(ic, ic->i_send_cq, ic->i_send_wc);
271277
ib_req_notify_cq(ic->i_send_cq, IB_CQ_NEXT_COMP);
272278
poll_scq(ic, ic->i_send_cq, ic->i_send_wc);
@@ -308,6 +314,10 @@ static void rds_ib_tasklet_fn_recv(unsigned long data)
308314

309315
rds_ib_stats_inc(s_ib_tasklet_call);
310316

317+
/* if cq has been already reaped, ignore incoming cq event */
318+
if (atomic_read(&ic->i_cq_quiesce))
319+
return;
320+
311321
memset(&state, 0, sizeof(state));
312322
poll_rcq(ic, ic->i_recv_cq, ic->i_recv_wc, &state);
313323
ib_req_notify_cq(ic->i_recv_cq, IB_CQ_SOLICITED);
@@ -804,6 +814,8 @@ void rds_ib_conn_path_shutdown(struct rds_conn_path *cp)
804814
tasklet_kill(&ic->i_send_tasklet);
805815
tasklet_kill(&ic->i_recv_tasklet);
806816

817+
atomic_set(&ic->i_cq_quiesce, 1);
818+
807819
/* first destroy the ib state that generates callbacks */
808820
if (ic->i_cm_id->qp)
809821
rdma_destroy_qp(ic->i_cm_id);

0 commit comments

Comments
 (0)