We know the first call to sdp_sk_sleep(sk) finds a non-null sk->sk_wq
because we don't crash:
0xffffffffa02b6388 <sdp_rx_irq+56>: mov 0xb8(%rsi),%rax
0xffffffffa02b638f <sdp_rx_irq+63>: test %rax,%rax
*** struct sock sk+0xb8 == sk->sk_wq (sk_wq is at offset 0xb8)
*** we didn't crash at sdp_rx_irq+56 so sk->sk_wq was apparently valid
0xffffffffa02b6394 <sdp_rx_irq+68>: mov 0xb8(%rsi),%rdx
0xffffffffa02b639b <sdp_rx_irq+75>: lea 0x8(%rdx),%rax
0xffffffffa02b639f <sdp_rx_irq+79>: cmp %rax,0x8(%rdx)
*** RDX is NULL causing the null dereference of address 0x8 at sdp_rx_irq+79.
Fix is to check if sk->sk_wq is NULL before dereferencing it to get the
address of sk->sk_wq->wait. Also, do the RCU dereference of sk->sk_wq
once, not twice as we may get a different answer (NULL) the second time.
Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com> Signed-off-by: John Sobecki <john.sobecki@oracle.com> Acked-by: Chien Yen <chien.yen@oracle.com> Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>
shamir rabinovitch [Mon, 12 May 2014 15:34:02 +0000 (08:34 -0700)]
sdp: fix keepalive functionality
sdp keepalive functionality differ a bit from tcp socket functionality.
in sdp only accepted or connected socket can trigger this functionality
as the keepalive is implemented as rdma write with zero length and this
require ib connection. due to this sdp behaviour you cannot set keepalive
on listening server socket or on non connected client socket. apps can
use sdp in 2 ways. binary apps that use tcp sockets can use the libsdp
to direct all the socket calls to sdp and new apps can open and use sdp
sockets directly w/o the need for libsdp. when using sdp socket directly
please follow the below rules:
- define: AF_INET_SDP = SOL_SDP = 27
- create the socket as follow:
socket(AF_INET_SDP, SOCK_STREAM, 0)
- get the sdp socket keepalive as follow:
getsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &optval, &optlen)
- set the sdp socket keepalive as follow:
setsockopt(fd, SOL_SDP, SO_KEEPALIVE, &optval, optlen)
when you load the sdp module;
- set the keepalive time. this is the max period in sec of no data before
sdp start to send the probes. you should take to account that more
then one probe is needed till sdp detect that the remote hca is gone.
echo <time sec> > /sys/module/ib_sdp/parameters/sdp_keepalive_time
- zero the probes counter. this counter is incremented any time sdp send probe.
probes are sent only if there is no tx/rx on this queue pair for the
keepalive time period.
echo 0 > /sys/module/ib_sdp/parameters/sdp_keepalive_probes_sent
on server socket:
- set keepalive only on accepted socket
on client socket:
- set keepalive only on socket after connect
Saeed Mahameed [Sun, 17 Feb 2013 16:10:57 +0000 (18:10 +0200)]
ib_sdp: fix deadlock when sdp_cma_handler is called while socket is being closed
issue: 130280
sdp_close will grap sock_lock and while closing sdp_cma_handler can be called from cma context
under id_priv->qp_mutex and the sdp_cma_handler will wait for sock_lock to be available.
sdp_close will call rdma_disconnect which will need to grap id_priv->qp_mutex --> deadlock !
Eli Cohen [Sun, 3 Apr 2011 07:07:44 +0000 (10:07 +0300)]
Flatten the entire tree fixes
As from now we are going to avoid using patches to commit changes to the
driver. Instead, we will push directly to the source files. Backports are still
maintained but only for 2.6.18-EL5.5; backaports of 2.6.32 are completely
removed.
Amir Vadai [Tue, 8 Mar 2011 08:25:35 +0000 (10:25 +0200)]
sdp: Limit total memory consumed by rcvbuf
rcvbuf is already limited by the payload in the queue. But also need to limit
total memory consumption of it, since small packets received might have a very
large overhead to the payload.
Amir Vadai [Mon, 28 Feb 2011 09:57:18 +0000 (11:57 +0200)]
sdp: fix memory socket accounting
skb->truesize - total bytes allocated by skb, including fragments
Specific socket accounting:
* sk->sk_wmem_queued - send bytes currently in TX queue
* RX queue accounting is done by using seq
* sk->sk_rmem_alloc - bytes consumed by RX
Protocol accounting:
* sk->sk_forward_alloc - bytes that are available to be consumed
* prot->memory_allocated - bytes consumed by TX/RX
Amir Vadai [Thu, 27 Jan 2011 08:42:56 +0000 (10:42 +0200)]
rdma_cm, sdp: bug fixes and some changes to APM logic
- We no longer rely on the private data buffer of the LAP/APR messages for passive side LID improvement.
Instead, we use the protocol defined LID improvement APR error code.
- Two paths are allocated on id creation to simplify code.
- Various small bug fixes.
- Added a missing ref_count get
- Some code cleanup.
- Important: rdma_enable_apm may be called only upon receiving RDMA_CM_ROUTE_RESOLVED event.
This was done to break symmetry on failover and possibly on other occasions.
Signed-off-by: Nir Muchtar <nirm@voltaire.com> Signed-off-by: Moni Shoua <monis@voltaire.com> Signed-off-by: Amir Vadai <amirv@mellanox.co.il>
Amir Vadai [Sun, 16 Jan 2011 16:32:38 +0000 (18:32 +0200)]
sdp: Abort rx SrcAvail when out of credits
SrcAvail sink side could run out of credits when having bcopy sends to the
other direction. Because of that no RdmaRdCompl could be sent nor SendSM. This
could hang the sender side forever (No SendSM on SrcAvailCancel).
Amir Vadai [Tue, 11 Jan 2011 13:16:51 +0000 (15:16 +0200)]
sdp: Fixed BUG2207 - EINVAL when connect after IPv6 bind
Connect to IPv4 over IPv6 address need rdma id to be created with IPv4 address.
If bound before with IPv6 adderss, need to destroy and recreate the id.
Also, when connecting after bind, keep the same source port number.
Amir Vadai [Tue, 14 Dec 2010 12:41:12 +0000 (14:41 +0200)]
sdp: remove 'reading beyond SKB' warning
This is a good sanity check, but could print a warning when a
partially used SrcAvail skb is cancelled.
This should be fixed in a way that will leave the sanity check,
but need to make minimal changes before the GA.
Amir Vadai [Tue, 14 Dec 2010 06:48:42 +0000 (08:48 +0200)]
sdp: RdmaRdCompl not sent sometimes
When SrcAvailCancel is handled after RDMA finshed and before sending
RdmaRdCompl, RdmaRdCompl won't be sent, and a data corruption will occur.
Made sure that all sdp_abort_rx_srcavail will send RdmaRdCompl if needed.
Eldad Zinger [Wed, 20 Oct 2010 15:14:35 +0000 (17:14 +0200)]
sdp: fix for CMA reference count
When sdp_destroy_work() is invoked (due to the cma handler),
but "ssk->cma_timewait_timeout == 0", a socket reference was putted even though
it was never taken. This can happen in 2 scenarios:
1. sdp_destroy_work() locked the socket before sdp_close()
2. sdp_destroy_work() locked the socket after sdp_cma_timewait_timeout_work()
Eldad Zinger [Tue, 19 Oct 2010 14:52:09 +0000 (16:52 +0200)]
sdp: fix for race condition with SrcAvailCancel handling
Tx complition resets "rdma_inflight->busy" and wakes up the recvmsg().
But rx_workqueue might get the lock of the socket before recvmsg(), so
SrcAvailCancel might be polled from the rx_cq, and since "busy = 0",
rx_sa wil be freed (w/o freeing umem&fmr).
Amir Vadai [Sun, 10 Oct 2010 09:10:38 +0000 (11:10 +0200)]
sdp: Enable RoCE by default
Could led to long delays when trying to establish connection to ethernet
peer, and libsdp is set to 'both'. Should be fixed by letting user set
both/sdp/tcp per interface and not only by subnet/port/process in libsdp.conf.
Eldad Zinger [Wed, 6 Oct 2010 09:52:10 +0000 (11:52 +0200)]
sdp: BUG2141 - fix refcnt bug
This bug is reproducable when sdpnetstat(1) is run while a socket is being
destructed. sdp_proc utilities might try to hold a refcnt for a socket that its
destruction already began. This is possible because sdp_proc utilities uses
sock_list to scan for sockets, but a socket is removed from that list only
after all its resourcs are freed.
projects / users / jedix / linux-maple.git / log