Re: [PATCH 3/9] IB: add a helper to safely drain a QP

From: Sagi Grimberg
Date: Wed Nov 18 2015 - 02:59:26 EST

On 17/11/2015 19:06, Bart Van Assche wrote:
On 11/15/2015 01:34 AM, Sagi Grimberg wrote:
This is taken from srp, and srp drains using a recv wr due to a race
causing a use-after-free condition in srp which re-posts a recv buffer
in the recv completion handler.

Hello Sagi,

Would it be possible to clarify this ? Does this refer to an existing
race or a race that would only occur if the code would be modified ?

I was referring to a bug that srp_destroy_qp() was design to

commit 7dad6b2e440d810273946b0e7092a8fe043c3b8a
Author: Bart Van Assche <bvanassche@xxxxxxx>
Date: Tue Oct 21 18:00:35 2014 +0200

IB/srp: Fix a race condition triggered by destroying a queue pair

At least LID reassignment can trigger a race condition in the SRP
initiator driver, namely the receive completion handler trying to
post a request on a QP during or after QP destruction and before
the CQ's have been destroyed. Avoid this race by modifying a QP
into the error state and by waiting until all receive completions
have been processed before destroying a QP.

Reported-by: Max Gurtuvoy <maxg@xxxxxxxxxxxx>
Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
Reviewed-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
