c35fab9925
The last commit was found when I created a XRC SRQ in lock-free mode but failed to destroy it because of the refcnt check added in the previous commit. The failure was because the PAD was acquired through ibv_srq->pd in destroy_srq(), while ibv_srq->pd wasn't assigned when the SRQ was created by ibv_create_srq_ex(). So let's assign ibv_srq->pd in the common ibv_icmd_create_srq() , so that drivers can get the correct pd no matter which api the SRQ is created by. Signed-off-by: Xinghai Cen <cenxinghai@h-partners.com> (cherry picked from commit 3ac30fc125c7cff122f21ff8593294060c92429f)
70 lines
2.0 KiB
Diff
70 lines
2.0 KiB
Diff
From 59108bf3e452fa7701a3972c78d22352598891be Mon Sep 17 00:00:00 2001
|
|
From: Junxian Huang <huangjunxian6@hisilicon.com>
|
|
Date: Wed, 23 Apr 2025 16:55:16 +0800
|
|
Subject: [PATCH 61/62] libhns: Fix freeing pad without checking refcnt
|
|
|
|
mainline inclusion
|
|
from mainline-v56.0-65
|
|
commit 234d135276ea8ef83633113e224e0cd735ebeca8
|
|
category: bugfix
|
|
bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/IC3X57
|
|
CVE: NA
|
|
|
|
Reference:
|
|
https://github.com/linux-rdma/rdma-core/pull/1599/commits/234d135276ea8ef836...
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
Currently pad refcnt will be added when creating qp/cq/srq, but it is
|
|
not checked when freeing pad. Add a check to prevent freeing pad when
|
|
it is still used by any qp/cq/srq.
|
|
|
|
Fixes: 7b6b3dae328f ("libhns: Add support for thread domain and parent
|
|
domain")
|
|
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
|
|
Signed-off-by: Xinghai Cen <cenxinghai@h-partners.com>
|
|
---
|
|
providers/hns/hns_roce_u_verbs.c | 12 +++++++-----
|
|
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/providers/hns/hns_roce_u_verbs.c b/providers/hns/hns_roce_u_verbs.c
|
|
index 70f516a..edd8e3d 100644
|
|
--- a/providers/hns/hns_roce_u_verbs.c
|
|
+++ b/providers/hns/hns_roce_u_verbs.c
|
|
@@ -218,14 +218,18 @@ struct ibv_pd *hns_roce_u_alloc_pad(struct ibv_context *context,
|
|
return &pad->pd.ibv_pd;
|
|
}
|
|
|
|
-static void hns_roce_free_pad(struct hns_roce_pad *pad)
|
|
+static int hns_roce_free_pad(struct hns_roce_pad *pad)
|
|
{
|
|
+ if (atomic_load(&pad->pd.refcount) > 1)
|
|
+ return EBUSY;
|
|
+
|
|
atomic_fetch_sub(&pad->pd.protection_domain->refcount, 1);
|
|
|
|
if (pad->td)
|
|
atomic_fetch_sub(&pad->td->refcount, 1);
|
|
|
|
free(pad);
|
|
+ return 0;
|
|
}
|
|
|
|
static int hns_roce_free_pd(struct hns_roce_pd *pd)
|
|
@@ -248,10 +252,8 @@ int hns_roce_u_dealloc_pd(struct ibv_pd *ibv_pd)
|
|
struct hns_roce_pad *pad = to_hr_pad(ibv_pd);
|
|
struct hns_roce_pd *pd = to_hr_pd(ibv_pd);
|
|
|
|
- if (pad) {
|
|
- hns_roce_free_pad(pad);
|
|
- return 0;
|
|
- }
|
|
+ if (pad)
|
|
+ return hns_roce_free_pad(pad);
|
|
|
|
return hns_roce_free_pd(pd);
|
|
}
|
|
--
|
|
2.25.1
|
|
|