[patch 8/8] [patch 8/8] X86: UV - XPC receive message reuse triggers invalid BUG_ON().

From: Robin Holt
Date: Mon Nov 23 2009 - 20:41:06 EST

Next message: Robin Holt: "[patch 6/8] x86: UV - XPC NULL deref when mesq becomes empty."
Previous message: Robin Holt: "[patch 7/8] X86: UV - xpc_make_first_contact hang due to not accepting ACTIVE state."
In reply to: Robin Holt: "[patch 7/8] X86: UV - xpc_make_first_contact hang due to not accepting ACTIVE state."
Next in thread: Robin Holt: "[patch 6/8] x86: UV - XPC NULL deref when mesq becomes empty."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was a difficult bug to trip. XPC was in the middle of sending an
acknowledgement for a received message.

In xpc_received_payload_uv():
.
ret = xpc_send_gru_msg(ch->sn.uv.cached_notify_gru_mq_desc, msg,
sizeof(struct xpc_notify_mq_msghdr_uv));
if (ret != xpSuccess)
XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);

msg->hdr.msg_slot_number += ch->remote_nentries;

at the point in xpc_send_gru_msg() where the hardware has dispatched the
acknowledgement, the remote side is able to reuse the message structure
and send a message with a different slot number. This problem is made
worse by interrupts.

The adjustment of msg_slot_number and the BUG_ON in
xpc_handle_notify_mq_msg_uv() which verifies the msg_slot_number is
consistent are only used for debug purposes. Since a fix for this that
preserves the debug functionality would either have to infringe upon
the payload or allocate another structure just for debug, I decided to
remove it entirely.

To: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Robin Holt <holt@xxxxxxx>
Cc: Jack Steiner <steiner@xxxxxxx>
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: linux-mm@xxxxxxxxxxxxxxx

---

drivers/misc/sgi-xp/xpc_uv.c | 3 ---
1 file changed, 3 deletions(-)

Index: pv1000000/drivers/misc/sgi-xp/xpc_uv.c
===================================================================
--- pv1000000.orig/drivers/misc/sgi-xp/xpc_uv.c 2009-11-23 18:41:47.000000000 -0600
+++ pv1000000/drivers/misc/sgi-xp/xpc_uv.c 2009-11-23 18:41:52.000000000 -0600
@@ -1427,7 +1427,6 @@ xpc_handle_notify_mq_msg_uv(struct xpc_p
msg_slot = ch_uv->recv_msg_slots +
(msg->hdr.msg_slot_number % ch->remote_nentries) * ch->entry_size;

- BUG_ON(msg->hdr.msg_slot_number != msg_slot->hdr.msg_slot_number);
BUG_ON(msg_slot->hdr.size != 0);

memcpy(msg_slot, msg, msg->hdr.size);
@@ -1651,8 +1650,6 @@ xpc_received_payload_uv(struct xpc_chann
sizeof(struct xpc_notify_mq_msghdr_uv));
if (ret != xpSuccess)
XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
-
- msg->hdr.msg_slot_number += ch->remote_nentries;
}

static struct xpc_arch_operations xpc_arch_ops_uv = {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robin Holt: "[patch 6/8] x86: UV - XPC NULL deref when mesq becomes empty."
Previous message: Robin Holt: "[patch 7/8] X86: UV - xpc_make_first_contact hang due to not accepting ACTIVE state."
In reply to: Robin Holt: "[patch 7/8] X86: UV - xpc_make_first_contact hang due to not accepting ACTIVE state."
Next in thread: Robin Holt: "[patch 6/8] x86: UV - XPC NULL deref when mesq becomes empty."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]