On 17/11/2015 19:06, Bart Van Assche wrote:
On 11/15/2015 01:34 AM, Sagi Grimberg wrote:
This is taken from srp, and srp drains using a recv wr due to a race
causing a use-after-free condition in srp which re-posts a recv buffer
in the recv completion handler.
Hello Sagi,
Would it be possible to clarify this ? Does this refer to an existing
race or a race that would only occur if the code would be modified ?
I was referring to a bug that srp_destroy_qp() was design to
address:
commit 7dad6b2e440d810273946b0e7092a8fe043c3b8a
Author: Bart Van Assche <bvanass...@acm.org>
Date: Tue Oct 21 18:00:35 2014 +0200
IB/srp: Fix a race condition triggered by destroying a queue pair
At least LID reassignment can trigger a race condition in the SRP
initiator driver, namely the receive completion handler trying to
post a request on a QP during or after QP destruction and before
the CQ's have been destroyed. Avoid this race by modifying a QP
into the error state and by waiting until all receive completions
have been processed before destroying a QP.
Reported-by: Max Gurtuvoy <m...@mellanox.com>
Signed-off-by: Bart Van Assche <bvanass...@acm.org>
Reviewed-by: Sagi Grimberg <sa...@mellanox.com>
Signed-off-by: Christoph Hellwig <h...@lst.de>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
