RDMA/uverbs: Atomically flush and mark closed the comp event queue

Steve Wise · jgunthorpe · commit 67e3816842fe · 2018-09-12T15:43:15.000-06:00
Currently a uverbs completion event queue is flushed of events in ib_uverbs_comp_event_close() with the queue spinlock held and then released. Yet setting ev_queue->is_closed is not set until later in uverbs_hot_unplug_completion_event_file(). In between the time ib_uverbs_comp_event_close() releases the lock and uverbs_hot_unplug_completion_event_file() acquires the lock, a completion event can arrive and be inserted into the event queue by ib_uverbs_comp_handler(). This can cause a "double add" list_add warning or crash depending on the kernel configuration, or a memory leak because the event is never dequeued since the queue is already closed down. So add setting ev_queue->is_closed = 1 to ib_uverbs_comp_event_close(). Cc: stable@vger.kernel.org Fixes: 1e7710f ("IB/core: Change completion channel to use the reworked objects schema") Signed-off-by: Steve Wise <swise@opengridcomputing.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
@@ -440,6 +440,7 @@ static int ib_uverbs_comp_event_close(struct inode *inode, struct file *filp)
 			list_del(&entry->obj_list);
 		kfree(entry);
 	}
+	file->ev_queue.is_closed = 1;
 	spin_unlock_irq(&file->ev_queue.lock);
 
 	uverbs_close_fd(filp);

Original file line number	Diff line number	Diff line change
`@@ -440,6 +440,7 @@ static int ib_uverbs_comp_event_close(struct inode inode, struct file filp)`
`440`	`440`	`list_del(&entry->obj_list);`
`441`	`441`	`kfree(entry);`
`442`	`442`	`}`
	`443`	`+ file->ev_queue.is_closed = 1;`
`443`	`444`	`spin_unlock_irq(&file->ev_queue.lock);`
`444`	`445`
`445`	`446`	`uverbs_close_fd(filp);`