RDMA/bnxt_re: synchronize the qp-handle table array
authorSelvin Xavier <selvin.xavier@broadcom.com>
Mon, 14 Oct 2024 13:36:15 +0000 (06:36 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 8 Nov 2024 15:28:17 +0000 (16:28 +0100)
[ Upstream commit 76d3ddff7153cc0bcc14a63798d19f5d0693ea71 ]

There is a race between the CREQ tasklet and destroy qp when accessing the
qp-handle table. There is a chance of reading a valid qp-handle in the
CREQ tasklet handler while the QP is already moving ahead with the
destruction.

Fixing this race by implementing a table-lock to synchronize the access.

Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error")
Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing")
Link: https://patch.msgid.link/r/1728912975-19346-3-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/infiniband/hw/bnxt_re/qplib_fp.c
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
drivers/infiniband/hw/bnxt_re/qplib_rcfw.h

index 4ee11cb4f2bd38e6d3a6638b63075fa4ef369660..b624c255eee6fae5260e944d0f4af104b03e4867 100644 (file)
@@ -1513,9 +1513,11 @@ int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res,
        u32 tbl_indx;
        int rc;
 
+       spin_lock_bh(&rcfw->tbl_lock);
        tbl_indx = map_qp_id_to_tbl_indx(qp->id, rcfw);
        rcfw->qp_tbl[tbl_indx].qp_id = BNXT_QPLIB_QP_ID_INVALID;
        rcfw->qp_tbl[tbl_indx].qp_handle = NULL;
+       spin_unlock_bh(&rcfw->tbl_lock);
 
        bnxt_qplib_rcfw_cmd_prep((struct cmdq_base *)&req,
                                 CMDQ_BASE_OPCODE_DESTROY_QP,
@@ -1526,8 +1528,10 @@ int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res,
                                sizeof(resp), 0);
        rc = bnxt_qplib_rcfw_send_message(rcfw, &msg);
        if (rc) {
+               spin_lock_bh(&rcfw->tbl_lock);
                rcfw->qp_tbl[tbl_indx].qp_id = qp->id;
                rcfw->qp_tbl[tbl_indx].qp_handle = qp;
+               spin_unlock_bh(&rcfw->tbl_lock);
                return rc;
        }
 
index ca26b88a0a80fa9006de569b16edf7ae5c642118..e82bd37158ad6ce0e7866a13b7cda99c34f0e1c6 100644 (file)
@@ -634,17 +634,21 @@ static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw,
        case CREQ_QP_EVENT_EVENT_QP_ERROR_NOTIFICATION:
                err_event = (struct creq_qp_error_notification *)qp_event;
                qp_id = le32_to_cpu(err_event->xid);
+               spin_lock(&rcfw->tbl_lock);
                tbl_indx = map_qp_id_to_tbl_indx(qp_id, rcfw);
                qp = rcfw->qp_tbl[tbl_indx].qp_handle;
+               if (!qp) {
+                       spin_unlock(&rcfw->tbl_lock);
+                       break;
+               }
+               bnxt_qplib_mark_qp_error(qp);
+               rc = rcfw->creq.aeq_handler(rcfw, qp_event, qp);
+               spin_unlock(&rcfw->tbl_lock);
                dev_dbg(&pdev->dev, "Received QP error notification\n");
                dev_dbg(&pdev->dev,
                        "qpid 0x%x, req_err=0x%x, resp_err=0x%x\n",
                        qp_id, err_event->req_err_state_reason,
                        err_event->res_err_state_reason);
-               if (!qp)
-                       break;
-               bnxt_qplib_mark_qp_error(qp);
-               rc = rcfw->creq.aeq_handler(rcfw, qp_event, qp);
                break;
        default:
                /*
@@ -973,6 +977,7 @@ int bnxt_qplib_alloc_rcfw_channel(struct bnxt_qplib_res *res,
                               GFP_KERNEL);
        if (!rcfw->qp_tbl)
                goto fail;
+       spin_lock_init(&rcfw->tbl_lock);
 
        rcfw->max_timeout = res->cctx->hwrm_cmd_max_timeout;
 
index 45996e60a0d03e39c72cefeeff645aca910c3989..07779aeb75759df4a28779a412e7e35395f03fdb 100644 (file)
@@ -224,6 +224,8 @@ struct bnxt_qplib_rcfw {
        struct bnxt_qplib_crsqe         *crsqe_tbl;
        int qp_tbl_size;
        struct bnxt_qplib_qp_node *qp_tbl;
+       /* To synchronize the qp-handle hash table */
+       spinlock_t                      tbl_lock;
        u64 oos_prev;
        u32 init_oos_stats;
        u32 cmdq_depth;