From: Wengang Wang <wen.gang.wang@oracle.com>
Date: Tue, 4 Aug 2015 05:39:51 +0000 (+0800)
Subject: rds: rds_ib_device.refcount overflow
X-Git-Tag: v4.1.12-92~293^2^2~2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=e1ba562f67fc2013847e64c8659f7f96b344b7db;p=users%2Fjedix%2Flinux-maple.git

rds: rds_ib_device.refcount overflow

Fixes:
  3e0249f9c05c ("RDS/IB: add refcount tracking to struct rds_ib_device")

There is a missing dropping of refcount on rds_ib_device.refcount
in case rds_ib_alloc_fmr() failed(mr pool running out). This lead to
the refcount overflow.

A BUG_ON on line 117(see following) is triggered.
From vmcore:
s_ib_rdma_mr_pool_depleted is 2147485544
and rds_ibdev->refcount is -2147475448.

That is the evidence the mr pool is used up. So rds_ib_alloc_fmr() is
very likely to return ERR_PTR(-EAGAIN).

115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
116 {
117         BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
118         if (atomic_dec_and_test(&rds_ibdev->refcount))
119                 queue_work(rds_wq, &rds_ibdev->free_work);
120 }

The fix is to drop refcount when rds_ib_alloc_fmr() failed.

upstream commit: 4fabb59449aa44a585b3603ffdadd4c5f4d0c033

Orabug: 21534438

Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Reviewed-by: Haggai Eran <haggaie@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Acked-by: Wei Xu <wei.xu.xu@oracle.com>
Acked-by: Zheng Li <zheng.x.li@oracle.com>
Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>
---

diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 03cb6c91aa154..426d64366d484 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -875,8 +875,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
 	}
 
 	ibmr = rds_ib_alloc_fmr(rds_ibdev, nents);
-	if (IS_ERR(ibmr))
+	if (IS_ERR(ibmr)) {
+		rds_ib_dev_put(rds_ibdev);
 		return ibmr;
+	}
 
 	ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
 	if (ret == 0)