Discussion:
[PATCH for-net 0/2] irq sync fixes
(too old to reply)
Eli Cohen
2014-10-23 12:57:25 UTC
Permalink
Hi Dave,

This two patch series fixes a race where an interrupt handler could access a
freed memory.

Eli

Eli Cohen (2):
net/mlx5_core: Call synchronize_irq() before freeing EQ buffer
net/mlx4_core: Call synchronize_irq() before freeing EQ buffer

drivers/net/ethernet/mellanox/mlx4/eq.c | 1 +
drivers/net/ethernet/mellanox/mlx5/core/eq.c | 1 +
2 files changed, 2 insertions(+)
--
2.1.2
Eli Cohen
2014-10-23 12:57:26 UTC
Permalink
After destroying the EQ, the object responsible for generating interrupts, call
synchronize_irq() to ensure that any handler routines running on other CPU
cores finish execution. Only then free the EQ buffer. This patch solves a very
rare case when we get panic on driver unload.
The same thing is done when we destroy a CQ which is one of the sources
generating interrupts. In the case of CQ we want to avoid completion handlers
on a CQ that was destroyed. In the case we do the same to avoid receiving
asynchronous events after the EQ has been destroyed and its buffers freed.

Signed-off-by: Eli Cohen <***@mellanox.com>
---
drivers/net/ethernet/mellanox/mlx5/core/eq.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
index ed53291468f3..a278238a2db6 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -420,6 +420,7 @@ int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq)
if (err)
mlx5_core_warn(dev, "failed to destroy a previously created eq: eqn %d\n",
eq->eqn);
+ synchronize_irq(table->msix_arr[eq->irqn].vector);
mlx5_buf_free(dev, &eq->buf);

return err;
--
2.1.2
Eli Cohen
2014-10-23 12:57:27 UTC
Permalink
After moving the EQ ownership to software effectively destroying it, call
synchronize_irq() to ensure that any handler routines running on other CPU
cores finish execution. Only then free the EQ buffer.
The same thing is done when we destroy a CQ which is one of the sources
generating interrupts. In the case of CQ we want to avoid completion handlers
on a CQ that was destroyed. In the case we do the same to avoid receiving
asynchronous events after the EQ has been destroyed and its buffers freed.

Signed-off-by: Eli Cohen <***@mellanox.com>
---
drivers/net/ethernet/mellanox/mlx4/eq.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
index a49c9d11d8a5..49290a405903 100644
--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
@@ -1026,6 +1026,7 @@ static void mlx4_free_eq(struct mlx4_dev *dev,
pr_cont("\n");
}
}
+ synchronize_irq(eq->irq);

mlx4_mtt_cleanup(dev, &eq->mtt);
for (i = 0; i < npages; ++i)
--
2.1.2
Continue reading on narkive:
Loading...