IB/mlx5: Fix srq free in destroy qp
authorMoshe Lazer <moshel@mellanox.com>
Wed, 23 Oct 2013 06:53:17 +0000 (09:53 +0300)
committerRoland Dreier <roland@purestorage.com>
Fri, 8 Nov 2013 22:42:59 +0000 (14:42 -0800)
On destroy QP the driver walks over the relevant CQ and removes CQEs
reported for the destroyed QP.  It also frees the related SRQ entry
without checking that this is actually an SRQ-related CQE.  In case of
a CQ used for both send and receive QP, we could free SRQ entries for
send CQEs.  This patch resolves this issue by verifying that this is a
SRQ related CQE by checking the SRQ number in the CQE is not zero.

Signed-off-by: Moshe Lazer <moshel@mellanox.com>
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
drivers/infiniband/hw/mlx5/cq.c

index e7c64c5..8459186 100644 (file)
@@ -750,17 +750,9 @@ int mlx5_ib_destroy_cq(struct ib_cq *cq)
        return 0;
 }
 
-static int is_equal_rsn(struct mlx5_cqe64 *cqe64, struct mlx5_ib_srq *srq,
-                       u32 rsn)
+static int is_equal_rsn(struct mlx5_cqe64 *cqe64, u32 rsn)
 {
-       u32 lrsn;
-
-       if (srq)
-               lrsn = be32_to_cpu(cqe64->srqn) & 0xffffff;
-       else
-               lrsn = be32_to_cpu(cqe64->sop_drop_qpn) & 0xffffff;
-
-       return rsn == lrsn;
+       return rsn == (ntohl(cqe64->sop_drop_qpn) & 0xffffff);
 }
 
 void __mlx5_ib_cq_clean(struct mlx5_ib_cq *cq, u32 rsn, struct mlx5_ib_srq *srq)
@@ -790,8 +782,8 @@ void __mlx5_ib_cq_clean(struct mlx5_ib_cq *cq, u32 rsn, struct mlx5_ib_srq *srq)
        while ((int) --prod_index - (int) cq->mcq.cons_index >= 0) {
                cqe = get_cqe(cq, prod_index & cq->ibcq.cqe);
                cqe64 = (cq->mcq.cqe_sz == 64) ? cqe : cqe + 64;
-               if (is_equal_rsn(cqe64, srq, rsn)) {
-                       if (srq)
+               if (is_equal_rsn(cqe64, rsn)) {
+                       if (srq && (ntohl(cqe64->srqn) & 0xffffff))
                                mlx5_ib_free_srq_wqe(srq, be16_to_cpu(cqe64->wqe_counter));
                        ++nfreed;
                } else if (nfreed) {