rds: ib: Fix cleanup of rds_ib_cache_gc_worker

Hakon-Bugge · vijay-suman · commit 6389c08dc865 · 2024-11-29T08:04:33.000-08:00
rds_ib_free_caches() calls cancel_delayed_work() in an attempt to clean up the rds_ib_cache_gc_worker(). But, rds_ib_cache_gc_worker() may still be running after cancel_delayed_work() is called. And since rds_ib_cache_gc_worker() re-queues itself, a disaster may happen: BUG: unable to handle page fault for address: 00007ffeaa9bf6cc [snip] Call Trace: <IRQ> run_timer_softirq+0x19/0x2d __do_softirq+0xd0/0x2a5 ? sched_clock_cpu+0x9/0xb6 __irq_exit_rcu+0xc7/0xf1 sysvec_apic_timer_interrupt+0x72/0x89 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x1b RIP: 0010:cpuidle_enter_state+0xc7/0x35d [snip] cpuidle_enter+0x29/0x40 cpuidle_idle_call+0x143/0x1de do_idle+0x81/0xd2 cpu_startup_entry+0x19/0x1b secondary_startup_64_no_verify+0xc2/0x0 </TASK> or general protection fault, probably for non-canonical address 0xffff11de4ab26c00: 0000 [#1] SMP PTI [snip] RIP: 0010:__queue_work+0xde/0x40a [snip] Call Trace: <IRQ> ? queue_work_node+0x110/0x105 call_timer_fn+0x27/0xff __run_timers+0x1bd/0x299 run_timer_softirq+0x19/0x2d __do_softirq+0xd0/0x2a5 ? sched_clock_cpu+0x9/0xb6 __irq_exit_rcu+0xc7/0xf1 sysvec_apic_timer_interrupt+0x72/0x89 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x1b RIP: 0010:cpuidle_enter_state+0xc7/0x35d [snip] ? cpuidle_enter_state+0xb7/0x35d cpuidle_enter+0x29/0x40 cpuidle_idle_call+0x143/0x1de do_idle+0x81/0xd2 cpu_startup_entry+0x19/0x1b secondary_startup_64_no_verify+0xc2/0x0 </TASK> or BUG: kernel NULL pointer dereference, address: 0000000000000000 [snip] RIP: 0010:_raw_spin_lock+0xc/0x51 [snip] Call Trace: <IRQ> __queue_work+0x13f/0x40a call_timer_fn+0x24/0xff __run_timers+0x1bd/0x299 run_timer_softirq+0x19/0x2d __do_softirq+0xcd/0x2a5 __irq_exit_rcu+0xc7/0xf1 sysvec_apic_timer_interrupt+0x72/0x89 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x1b RIP: 0010:cpuidle_enter_state+0xc7/0x35d [snip] cpuidle_enter+0x29/0x40 cpuidle_idle_call+0x143/0x1de do_idle+0x81/0xd2 cpu_startup_entry+0x19/0x1b secondary_startup_64_no_verify+0xc2/0x0 </TASK> Fixed by calling cancel_delayed_work_sync() instead. Orabug: 34806050 Fixes: 8450b32 ("RDS-IB: Add garbage-collection to cache") Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com> Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
diff --git a/net/rds/ib.c b/net/rds/ib.c
@@ -421,7 +421,7 @@ static void rds_ib_free_caches(struct rds_ib_device *rds_ibdev)
 {
 	int i;
 
-	cancel_delayed_work(&rds_ibdev->i_cache_gc_work);
+	cancel_delayed_work_sync(&rds_ibdev->i_cache_gc_work);
 	rds_ib_free_inc_cache(&rds_ibdev->i_cache_incs);
 	for (i = 0; i < RDS_FRAG_CACHE_ENTRIES; i++)
 		rds_ib_free_frag_cache(rds_ibdev->i_cache_frags + i, PAGE_SIZE << i);

Original file line number	Diff line number	Diff line change
`@@ -421,7 +421,7 @@ static void rds_ib_free_caches(struct rds_ib_device *rds_ibdev)`
`421`	`421`	`{`
`422`	`422`	`int i;`
`423`	`423`
`424`		`- cancel_delayed_work(&rds_ibdev->i_cache_gc_work);`
	`424`	`+ cancel_delayed_work_sync(&rds_ibdev->i_cache_gc_work);`
`425`	`425`	`rds_ib_free_inc_cache(&rds_ibdev->i_cache_incs);`
`426`	`426`	`for (i = 0; i < RDS_FRAG_CACHE_ENTRIES; i++)`
`427`	`427`	`rds_ib_free_frag_cache(rds_ibdev->i_cache_frags + i, PAGE_SIZE << i);`