RDMA/iw_cxgb4: fix SRQ access from dump_qp()

author Potnuri Bharat Teja <bharat@chelsio.com>

Mon, 30 Sep 2019 07:41:19 +0000 (13:11 +0530)

committer Jason Gunthorpe <jgg@mellanox.com>

Tue, 1 Oct 2019 14:48:10 +0000 (11:48 -0300)
author Potnuri Bharat Teja <bharat@chelsio.com>
Mon, 30 Sep 2019 07:41:19 +0000 (13:11 +0530)
committer Jason Gunthorpe <jgg@mellanox.com>
Tue, 1 Oct 2019 14:48:10 +0000 (11:48 -0300)
diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c

index a8b9548bd1a260e259d1c31ce5384b2a28820861..599340c1f0b82c61171db4211532461f6a790aa7 100644 (file)
--- a/drivers/infiniband/hw/cxgb4/device.c
+++ b/drivers/infiniband/hw/cxgb4/device.c
@@ -242,10 +242,13 @@ static void set_ep_sin6_addrs(struct c4iw_ep *ep,
         }
  }
  
-static int dump_qp(struct c4iw_qp *qp, struct c4iw_debugfs_data *qpd)
+static int dump_qp(unsigned long id, struct c4iw_qp *qp,
+                  struct c4iw_debugfs_data *qpd)
  {
         int space;
         int cc;
+       if (id != qp->wq.sq.qid)
+               return 0;
  
         space = qpd->bufsize - qpd->pos - 1;
         if (space == 0)
@@ -350,7 +353,7 @@ static int qp_open(struct inode *inode, struct file *file)
  
         xa_lock_irq(&qpd->devp->qps);
         xa_for_each(&qpd->devp->qps, index, qp)
-               dump_qp(qp, qpd);
+               dump_qp(index, qp, qpd);
         xa_unlock_irq(&qpd->devp->qps);
  
         qpd->buf[qpd->pos++] = 0;
diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c

index eb9368be28c1df457f948b19ff4ef103c8dac12f..bbcac539777a2f62281963bf988465c6add06d58 100644 (file)
--- a/drivers/infiniband/hw/cxgb4/qp.c
+++ b/drivers/infiniband/hw/cxgb4/qp.c
@@ -2737,15 +2737,11 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
         if (CHELSIO_CHIP_VERSION(rhp->rdev.lldi.adapter_type) > CHELSIO_T6)
                 srq->flags = T4_SRQ_LIMIT_SUPPORT;
  
-       ret = xa_insert_irq(&rhp->qps, srq->wq.qid, srq, GFP_KERNEL);
-       if (ret)
-               goto err_free_queue;
-
         if (udata) {
                 srq_key_mm = kmalloc(sizeof(*srq_key_mm), GFP_KERNEL);
                 if (!srq_key_mm) {
                         ret = -ENOMEM;
-                       goto err_remove_handle;
+                       goto err_free_queue;
                 }
                 srq_db_key_mm = kmalloc(sizeof(*srq_db_key_mm), GFP_KERNEL);
                 if (!srq_db_key_mm) {
@@ -2789,8 +2785,6 @@ err_free_srq_db_key_mm:
         kfree(srq_db_key_mm);
  err_free_srq_key_mm:
         kfree(srq_key_mm);
-err_remove_handle:
-       xa_erase_irq(&rhp->qps, srq->wq.qid);
  err_free_queue:
         free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
                        srq->wr_waitp);
@@ -2813,8 +2807,6 @@ void c4iw_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata)
         rhp = srq->rhp;
  
         pr_debug("%s id %d\n", __func__, srq->wq.qid);
-
-       xa_erase_irq(&rhp->qps, srq->wq.qid);
         ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext,
                                              ibucontext);
         free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
author	Potnuri Bharat Teja <bharat@chelsio.com>
	Mon, 30 Sep 2019 07:41:19 +0000 (13:11 +0530)
committer	Jason Gunthorpe <jgg@mellanox.com>
	Tue, 1 Oct 2019 14:48:10 +0000 (11:48 -0300)
drivers/infiniband/hw/cxgb4/device.c		patch \| blob \| history
drivers/infiniband/hw/cxgb4/qp.c		patch \| blob \| history