Commit 91724c1e authored by Potnuri Bharat Teja's avatar Potnuri Bharat Teja Committed by Jason Gunthorpe

RDMA/iw_cxgb4: fix SRQ access from dump_qp()

dump_qp() is wrongly trying to dump SRQ structures as QP when SRQ is used
by the application. This patch matches the QPID before dumping them.  Also
removes unwanted SRQ id addition to QP id xarray.

Fixes: 2f431291 ("cxgb4: Convert qpidr to XArray")
Link: https://lore.kernel.org/r/20190930074119.20046-1-bharat@chelsio.comSigned-off-by: default avatarRahul Kundu <rahul.kundu@chelsio.com>
Signed-off-by: default avatarPotnuri Bharat Teja <bharat@chelsio.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
parent 34b3be18
...@@ -242,10 +242,13 @@ static void set_ep_sin6_addrs(struct c4iw_ep *ep, ...@@ -242,10 +242,13 @@ static void set_ep_sin6_addrs(struct c4iw_ep *ep,
} }
} }
static int dump_qp(struct c4iw_qp *qp, struct c4iw_debugfs_data *qpd) static int dump_qp(unsigned long id, struct c4iw_qp *qp,
struct c4iw_debugfs_data *qpd)
{ {
int space; int space;
int cc; int cc;
if (id != qp->wq.sq.qid)
return 0;
space = qpd->bufsize - qpd->pos - 1; space = qpd->bufsize - qpd->pos - 1;
if (space == 0) if (space == 0)
...@@ -350,7 +353,7 @@ static int qp_open(struct inode *inode, struct file *file) ...@@ -350,7 +353,7 @@ static int qp_open(struct inode *inode, struct file *file)
xa_lock_irq(&qpd->devp->qps); xa_lock_irq(&qpd->devp->qps);
xa_for_each(&qpd->devp->qps, index, qp) xa_for_each(&qpd->devp->qps, index, qp)
dump_qp(qp, qpd); dump_qp(index, qp, qpd);
xa_unlock_irq(&qpd->devp->qps); xa_unlock_irq(&qpd->devp->qps);
qpd->buf[qpd->pos++] = 0; qpd->buf[qpd->pos++] = 0;
......
...@@ -2737,15 +2737,11 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs, ...@@ -2737,15 +2737,11 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
if (CHELSIO_CHIP_VERSION(rhp->rdev.lldi.adapter_type) > CHELSIO_T6) if (CHELSIO_CHIP_VERSION(rhp->rdev.lldi.adapter_type) > CHELSIO_T6)
srq->flags = T4_SRQ_LIMIT_SUPPORT; srq->flags = T4_SRQ_LIMIT_SUPPORT;
ret = xa_insert_irq(&rhp->qps, srq->wq.qid, srq, GFP_KERNEL);
if (ret)
goto err_free_queue;
if (udata) { if (udata) {
srq_key_mm = kmalloc(sizeof(*srq_key_mm), GFP_KERNEL); srq_key_mm = kmalloc(sizeof(*srq_key_mm), GFP_KERNEL);
if (!srq_key_mm) { if (!srq_key_mm) {
ret = -ENOMEM; ret = -ENOMEM;
goto err_remove_handle; goto err_free_queue;
} }
srq_db_key_mm = kmalloc(sizeof(*srq_db_key_mm), GFP_KERNEL); srq_db_key_mm = kmalloc(sizeof(*srq_db_key_mm), GFP_KERNEL);
if (!srq_db_key_mm) { if (!srq_db_key_mm) {
...@@ -2789,8 +2785,6 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs, ...@@ -2789,8 +2785,6 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
kfree(srq_db_key_mm); kfree(srq_db_key_mm);
err_free_srq_key_mm: err_free_srq_key_mm:
kfree(srq_key_mm); kfree(srq_key_mm);
err_remove_handle:
xa_erase_irq(&rhp->qps, srq->wq.qid);
err_free_queue: err_free_queue:
free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx, free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
srq->wr_waitp); srq->wr_waitp);
...@@ -2813,8 +2807,6 @@ void c4iw_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata) ...@@ -2813,8 +2807,6 @@ void c4iw_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata)
rhp = srq->rhp; rhp = srq->rhp;
pr_debug("%s id %d\n", __func__, srq->wq.qid); pr_debug("%s id %d\n", __func__, srq->wq.qid);
xa_erase_irq(&rhp->qps, srq->wq.qid);
ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext, ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext,
ibucontext); ibucontext);
free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx, free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment