Skip to content

Commit

Permalink
RDMA/iw_cxgb4: fix SRQ access from dump_qp()
Browse files Browse the repository at this point in the history 
dump_qp() is wrongly trying to dump SRQ structures as QP when SRQ is used
by the application. This patch matches the QPID before dumping them.  Also
removes unwanted SRQ id addition to QP id xarray.

Fixes: 2f43129 ("cxgb4: Convert qpidr to XArray")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Rahul Kundu <[email protected]>
Signed-off-by: Potnuri Bharat Teja <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
  • Loading branch information
@bharatpotnuri @jgunthorpe
bharatpotnuri authored and jgunthorpe committed Oct 1, 2019
1 parent 34b3be1 commit 91724c1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 11 deletions.
7 changes: 5 additions & 2 deletions drivers/infiniband/hw/cxgb4/device.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,10 +242,13 @@ static void set_ep_sin6_addrs(struct c4iw_ep *ep,
}
}

static int dump_qp(struct c4iw_qp *qp, struct c4iw_debugfs_data *qpd)
static int dump_qp(unsigned long id, struct c4iw_qp *qp,
struct c4iw_debugfs_data *qpd)
{
int space;
int cc;
if (id != qp->wq.sq.qid)
return 0;

space = qpd->bufsize - qpd->pos - 1;
if (space == 0)
Expand Down Expand Up @@ -350,7 +353,7 @@ static int qp_open(struct inode *inode, struct file *file)

xa_lock_irq(&qpd->devp->qps);
xa_for_each(&qpd->devp->qps, index, qp)
dump_qp(qp, qpd);
dump_qp(index, qp, qpd);
xa_unlock_irq(&qpd->devp->qps);

qpd->buf[qpd->pos++] = 0;
Expand Down
10 changes: 1 addition & 9 deletions drivers/infiniband/hw/cxgb4/qp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2737,15 +2737,11 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
if (CHELSIO_CHIP_VERSION(rhp->rdev.lldi.adapter_type) > CHELSIO_T6)
srq->flags = T4_SRQ_LIMIT_SUPPORT;

ret = xa_insert_irq(&rhp->qps, srq->wq.qid, srq, GFP_KERNEL);
if (ret)
goto err_free_queue;

if (udata) {
srq_key_mm = kmalloc(sizeof(*srq_key_mm), GFP_KERNEL);
if (!srq_key_mm) {
ret = -ENOMEM;
goto err_remove_handle;
goto err_free_queue;
}
srq_db_key_mm = kmalloc(sizeof(*srq_db_key_mm), GFP_KERNEL);
if (!srq_db_key_mm) {
Expand Down Expand Up @@ -2789,8 +2785,6 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
kfree(srq_db_key_mm);
err_free_srq_key_mm:
kfree(srq_key_mm);
err_remove_handle:
xa_erase_irq(&rhp->qps, srq->wq.qid);
err_free_queue:
free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
srq->wr_waitp);
Expand All @@ -2813,8 +2807,6 @@ void c4iw_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata)
rhp = srq->rhp;

pr_debug("%s id %d\n", __func__, srq->wq.qid);

xa_erase_irq(&rhp->qps, srq->wq.qid);
ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext,
ibucontext);
free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
Expand Down

0 comments on commit 91724c1

Please sign in to comment.