mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-20 17:38:54 +07:00
a3285aa4ee
Fix races in in destroying various objects. If a destroy routine waits for an object to become free by doing wait_event(&obj->wait, !atomic_read(&obj->refcount)); /* now clean up and destroy the object */ and another place drops a reference to the object by doing if (atomic_dec_and_test(&obj->refcount)) wake_up(&obj->wait); then this is susceptible to a race where the wait_event() and final freeing of the object occur between the atomic_dec_and_test() and the wake_up(). And this is a use-after-free, since wake_up() will be called on part of the already-freed object. Fix this in mthca by replacing the atomic_t refcounts with plain old integers protected by a spinlock. This makes it possible to do the decrement of the reference count and the wake_up() so that it appears as a single atomic operation to the code waiting on the wait queue. While touching this code, also simplify mthca_cq_clean(): the CQ being cleaned cannot go away, because it still has a QP attached to it. So there's no reason to be paranoid and look up the CQ by number; it's perfectly safe to use the pointer that the callers already have. Signed-off-by: Roland Dreier <rolandd@cisco.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| mthca_allocator.c | ||
| mthca_av.c | ||
| mthca_catas.c | ||
| mthca_cmd.c | ||
| mthca_cmd.h | ||
| mthca_config_reg.h | ||
| mthca_cq.c | ||
| mthca_dev.h | ||
| mthca_doorbell.h | ||
| mthca_eq.c | ||
| mthca_mad.c | ||
| mthca_main.c | ||
| mthca_mcg.c | ||
| mthca_memfree.c | ||
| mthca_memfree.h | ||
| mthca_mr.c | ||
| mthca_pd.c | ||
| mthca_profile.c | ||
| mthca_profile.h | ||
| mthca_provider.c | ||
| mthca_provider.h | ||
| mthca_qp.c | ||
| mthca_reset.c | ||
| mthca_srq.c | ||
| mthca_uar.c | ||
| mthca_user.h | ||
| mthca_wqe.h | ||