Commit 2e0f89f1 authored by Wengang Wang's avatar Wengang Wang Committed by Kamal Mostafa

rds: rds_ib_device.refcount overflow

commit 4fabb594 upstream.

Fixes: 3e0249f9 ("RDS/IB: add refcount tracking to struct rds_ib_device")

There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
failed(mr pool running out). this lead to the refcount overflow.

A complain in line 117(see following) is seen. From vmcore:
s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
to return ERR_PTR(-EAGAIN).

115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
116 {
117         BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
118         if (atomic_dec_and_test(&rds_ibdev->refcount))
119                 queue_work(rds_wq, &rds_ibdev->free_work);
120 }

fix is to drop refcount when rds_ib_alloc_fmr failed.
Signed-off-by: default avatarWengang Wang <wen.gang.wang@oracle.com>
Reviewed-by: default avatarHaggai Eran <haggaie@mellanox.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent 95063599
...@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents, ...@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
} }
ibmr = rds_ib_alloc_fmr(rds_ibdev); ibmr = rds_ib_alloc_fmr(rds_ibdev);
if (IS_ERR(ibmr)) if (IS_ERR(ibmr)) {
rds_ib_dev_put(rds_ibdev);
return ibmr; return ibmr;
}
ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents); ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
if (ret == 0) if (ret == 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment