On Wed, Jul 20, 2022 at 5:50 AM lizhijian@xxxxxxxxxxx <lizhijian@xxxxxxxxxxx> wrote: > > Below 2 commits will be reverted: > 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") > 647bf13ce944 ("RDMA/rxe: Create duplicate mapping tables for FMRs") > > The community has a few bug reports which pointed this commit at last. > Some proposals are raised up in the meantime but all of them have no > follow-up operation. > > The previous commit led the map_set of FMR to be not avaliable any more if > the MR is registered again after invalidating. Although the mentioned > patch try to fix a potential race in building/accessing the same table > for fast memory regions, it broke rnbd etc ULPs. Since the latter could > be worse, revert this patch. > > With previous commit, it's observed that a same MR in rnbd server will > trigger below code path: > -> rxe_mr_init_fast() > |-> alloc map_set() # map_set is uninitialized > |...-> rxe_map_mr_sg() # build the map_set > |-> rxe_mr_set_page() > |...-> rxe_reg_fast_mr() # mr->state change to VALID from FREE that means > # we can access host memory(such rxe_mr_copy) > |...-> rxe_invalidate_mr() # mr->state change to FREE from VALID > |...-> rxe_reg_fast_mr() # mr->state change to VALID from FREE, > # but map_set was not built again > |...-> rxe_mr_copy() # kernel crash due to access wild addresses > # that lookup from the map_set > > The backtraces are not always identical. > [1st]---------- > [ 80.158930] CPU: 0 PID: 11 Comm: ksoftirqd/0 Not tainted 5.18.0-rc1-roce-flush+ #60 [0/9090] > [ 80.160736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 > [ 80.163579] RIP: 0010:lookup_iova+0x66/0xa0 [rdma_rxe] > [ 80.164825] Code: 00 00 00 48 d3 ee 89 32 c3 4c 8b 18 49 8b 3b 48 8b 47 08 48 39 c6 72 38 48 29 c6 45 31 d2 b8 01 00 00 00 48 63 c8 48 c1 e1 04 <48> 8b 4c 0f 08 48 39 f1 77 21 83 c0 01 48 29 ce 3d 00 01 00 00 75 > [ 80.168935] RSP: 0018:ffffb7ff80063bf0 EFLAGS: 00010246 > [ 80.170333] RAX: 0000000000000000 RBX: ffff9b9949d86800 RCX: 0000000000000000 > [ 80.171976] RDX: ffffb7ff80063c00 RSI: 0000000049f6b378 RDI: 002818da00000004 > [ 80.173606] RBP: 0000000000000120 R08: ffffb7ff80063c08 R09: ffffb7ff80063c04 > [ 80.176933] R10: 0000000000000002 R11: ffff9b9916f7eef8 R12: ffff9b99488a0038 > [ 80.178526] R13: ffff9b99488a0038 R14: ffff9b9914fb346a R15: ffff9b990ab27000 > [ 80.180378] FS: 0000000000000000(0000) GS:ffff9b997dc00000(0000) knlGS:0000000000000000 > [ 80.182257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 80.183577] CR2: 00007efc33a98ed0 CR3: 0000000014f32004 CR4: 00000000001706f0 > [ 80.185210] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 80.186890] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 80.188517] Call Trace: > [ 80.189269] <TASK> > [ 80.189949] rxe_mr_copy.part.0+0x6f/0x140 [rdma_rxe] > [ 80.191173] rxe_responder+0x12ee/0x1b60 [rdma_rxe] > [ 80.192409] ? rxe_icrc_check+0x7e/0x100 [rdma_rxe] > [ 80.193576] ? rxe_rcv+0x1d0/0x780 [rdma_rxe] > [ 80.194668] ? rxe_icrc_hdr.isra.0+0xf6/0x160 [rdma_rxe] > [ 80.195952] rxe_do_task+0x67/0xb0 [rdma_rxe] > [ 80.197081] rxe_xmit_packet+0xc7/0x210 [rdma_rxe] > [ 80.198253] rxe_requester+0x680/0xee0 [rdma_rxe] > [ 80.199439] ? update_load_avg+0x5f/0x690 > [ 80.200530] ? update_load_avg+0x5f/0x690 > [ 80.213968] ? rtrs_clt_recv_done+0x1b/0x30 [rtrs_client] > > [2nd]---------- > [ 5213.049494] RIP: 0010:rxe_mr_copy.part.0+0xa8/0x140 [rdma_rxe] > [ 5213.050978] Code: 00 00 49 c1 e7 04 48 8b 00 4c 8d 2c d0 48 8b 44 24 10 4d 03 7d 00 85 ed 7f 10 eb 6c 89 54 24 0c 49 83 c7 10 31 c0 85 ed 7e 5e <49> 8b 3f 8b 14 24 4c 89 f6 48 01 c7 85 d2 74 06 48 89 fe 4c 89 f7 > [ 5213.056463] RSP: 0018:ffffae3580063bf8 EFLAGS: 00010202 > [ 5213.057986] RAX: 0000000000018978 RBX: ffff9d7ef7a03600 RCX: 0000000000000008 > [ 5213.059797] RDX: 000000000000007c RSI: 000000000000007c RDI: ffff9d7ef7a03600 > [ 5213.061720] RBP: 0000000000000120 R08: ffffae3580063c08 R09: ffffae3580063c04 > [ 5213.063532] R10: ffff9d7efece0038 R11: ffff9d7ec4b1db00 R12: ffff9d7efece0038 > [ 5213.065445] R13: ffff9d7ef4098260 R14: ffff9d7f11e23c6a R15: 4c79500065708144 > [ 5213.067264] FS: 0000000000000000(0000) GS:ffff9d7f3dc00000(0000) knlGS:0000000000000000 > [ 5213.069442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 5213.071004] CR2: 00007fce47276c60 CR3: 0000000003f66004 CR4: 00000000001706f0 > [ 5213.072827] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 5213.074484] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 5213.076292] Call Trace: > [ 5213.077027] <TASK> > [ 5213.077718] rxe_responder+0x12ee/0x1b60 [rdma_rxe] > [ 5213.079019] ? rxe_icrc_check+0x7e/0x100 [rdma_rxe] > [ 5213.080380] ? rxe_rcv+0x1d0/0x780 [rdma_rxe] > [ 5213.081708] ? rxe_icrc_hdr.isra.0+0xf6/0x160 [rdma_rxe] > [ 5213.082990] rxe_do_task+0x67/0xb0 [rdma_rxe] > [ 5213.084030] rxe_xmit_packet+0xc7/0x210 [rdma_rxe] > [ 5213.085156] rxe_requester+0x680/0xee0 [rdma_rxe] > [ 5213.088258] ? update_load_avg+0x5f/0x690 > [ 5213.089381] ? update_load_avg+0x5f/0x690 > [ 5213.090446] ? rtrs_clt_recv_done+0x1b/0x30 [rtrs_client] > [ 5213.092087] rxe_do_task+0x67/0xb0 [rdma_rxe] > [ 5213.093125] tasklet_action_common.constprop.0+0x92/0xc0 > [ 5213.094366] __do_softirq+0xe1/0x2d8 > [ 5213.095287] run_ksoftirqd+0x21/0x30 > [ 5213.096456] smpboot_thread_fn+0x183/0x220 > [ 5213.097519] ? sort_range+0x20/0x20 > [ 5213.098761] kthread+0xe2/0x110 > [ 5213.099638] ? kthread_complete_and_exit+0x20/0x20 > [ 5213.100948] ret_from_fork+0x22/0x30 > > Link: https://lore.kernel.org/all/20220210073655.42281-1-guoqing.jiang@xxxxxxxxx/T/ > Link: https://www.spinics.net/lists/linux-rdma/msg110836.html > Link: https://lore.kernel.org/lkml/94a5ea93-b8bb-3a01-9497-e2021f29598a@xxxxxxxxx/t/ > > CC: Bob Pearson <rpearsonhpe@xxxxxxxxx> > CC: Haris Iqbal <haris.iqbal@xxxxxxxxx> > CC: Guoqing Jiang <guoqing.jiang@xxxxxxxxx> > Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxx> > --- > drivers/infiniband/sw/rxe/rxe_loc.h | 1 - > drivers/infiniband/sw/rxe/rxe_mr.c | 199 +++++++++----------------- > drivers/infiniband/sw/rxe/rxe_mw.c | 6 +- > drivers/infiniband/sw/rxe/rxe_verbs.c | 39 +++-- > drivers/infiniband/sw/rxe/rxe_verbs.h | 21 ++- > 5 files changed, 104 insertions(+), 162 deletions(-) > > diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h > index 0e022ae1b8a5..e9437b53a269 100644 > --- a/drivers/infiniband/sw/rxe/rxe_loc.h > +++ b/drivers/infiniband/sw/rxe/rxe_loc.h > @@ -79,7 +79,6 @@ int mr_check_range(struct rxe_mr *mr, u64 iova, size_t length); > int advance_dma_data(struct rxe_dma_info *dma, unsigned int length); > int rxe_invalidate_mr(struct rxe_qp *qp, u32 rkey); > int rxe_reg_fast_mr(struct rxe_qp *qp, struct rxe_send_wqe *wqe); > -int rxe_mr_set_page(struct ib_mr *ibmr, u64 addr); > int rxe_dereg_mr(struct ib_mr *ibmr, struct ib_udata *udata); > void rxe_mr_cleanup(struct rxe_pool_elem *elem); > > diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c > index 9a5c2af6a56f..4f19e4133d84 100644 > --- a/drivers/infiniband/sw/rxe/rxe_mr.c > +++ b/drivers/infiniband/sw/rxe/rxe_mr.c > @@ -24,7 +24,7 @@ u8 rxe_get_next_key(u32 last_key) > > int mr_check_range(struct rxe_mr *mr, u64 iova, size_t length) > { > - struct rxe_map_set *set = mr->cur_map_set; > + > > switch (mr->type) { > case IB_MR_TYPE_DMA: > @@ -32,8 +32,8 @@ int mr_check_range(struct rxe_mr *mr, u64 iova, size_t length) > > case IB_MR_TYPE_USER: > case IB_MR_TYPE_MEM_REG: > - if (iova < set->iova || length > set->length || > - iova > set->iova + set->length - length) > + if (iova < mr->iova || length > mr->length || > + iova > mr->iova + mr->length - length) > return -EFAULT; > return 0; > > @@ -65,89 +65,41 @@ static void rxe_mr_init(int access, struct rxe_mr *mr) > mr->map_shift = ilog2(RXE_BUF_PER_MAP); > } > > -static void rxe_mr_free_map_set(int num_map, struct rxe_map_set *set) > -{ > - int i; > - > - for (i = 0; i < num_map; i++) > - kfree(set->map[i]); > - > - kfree(set->map); > - kfree(set); > -} > - > -static int rxe_mr_alloc_map_set(int num_map, struct rxe_map_set **setp) > +static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf) > { > int i; > - struct rxe_map_set *set; > + int num_map; > + struct rxe_map **map = mr->map; > > - set = kmalloc(sizeof(*set), GFP_KERNEL); > - if (!set) > - goto err_out; > + num_map = (num_buf + RXE_BUF_PER_MAP - 1) / RXE_BUF_PER_MAP; > > - set->map = kmalloc_array(num_map, sizeof(struct rxe_map *), GFP_KERNEL); > - if (!set->map) > - goto err_free_set; > + mr->map = kmalloc_array(num_map, sizeof(*map), GFP_KERNEL); > + if (!mr->map) > + goto err1; > > for (i = 0; i < num_map; i++) { > - set->map[i] = kmalloc(sizeof(struct rxe_map), GFP_KERNEL); > - if (!set->map[i]) > - goto err_free_map; > + mr->map[i] = kmalloc(sizeof(**map), GFP_KERNEL); > + if (!mr->map[i]) > + goto err2; > } > > - *setp = set; > - > - return 0; > - > -err_free_map: > - for (i--; i >= 0; i--) > - kfree(set->map[i]); > - > - kfree(set->map); > -err_free_set: > - kfree(set); > -err_out: > - return -ENOMEM; > -} > - > -/** > - * rxe_mr_alloc() - Allocate memory map array(s) for MR > - * @mr: Memory region > - * @num_buf: Number of buffer descriptors to support > - * @both: If non zero allocate both mr->map and mr->next_map > - * else just allocate mr->map. Used for fast MRs > - * > - * Return: 0 on success else an error > - */ > -static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf, int both) > -{ > - int ret; > - int num_map; > - > BUILD_BUG_ON(!is_power_of_2(RXE_BUF_PER_MAP)); > - num_map = (num_buf + RXE_BUF_PER_MAP - 1) / RXE_BUF_PER_MAP; > > mr->map_shift = ilog2(RXE_BUF_PER_MAP); > mr->map_mask = RXE_BUF_PER_MAP - 1; > + > mr->num_buf = num_buf; > - mr->max_buf = num_map * RXE_BUF_PER_MAP; > mr->num_map = num_map; > - > - ret = rxe_mr_alloc_map_set(num_map, &mr->cur_map_set); > - if (ret) > - return -ENOMEM; > - > - if (both) { > - ret = rxe_mr_alloc_map_set(num_map, &mr->next_map_set); > - if (ret) > - goto err_free; > - } > + mr->max_buf = num_map * RXE_BUF_PER_MAP; > > return 0; > > -err_free: > - rxe_mr_free_map_set(mr->num_map, mr->cur_map_set); > - mr->cur_map_set = NULL; > +err2: > + for (i--; i >= 0; i--) > + kfree(mr->map[i]); > + > + kfree(mr->map); > +err1: > return -ENOMEM; > } > > @@ -164,7 +116,6 @@ void rxe_mr_init_dma(struct rxe_pd *pd, int access, struct rxe_mr *mr) > int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, > int access, struct rxe_mr *mr) > { > - struct rxe_map_set *set; > struct rxe_map **map; > struct rxe_phys_buf *buf = NULL; > struct ib_umem *umem; > @@ -172,6 +123,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, > int num_buf; > void *vaddr; > int err; > + int i; > > umem = ib_umem_get(pd->ibpd.device, start, length, access); > if (IS_ERR(umem)) { > @@ -185,20 +137,18 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, > > rxe_mr_init(access, mr); > > - err = rxe_mr_alloc(mr, num_buf, 0); > + err = rxe_mr_alloc(mr, num_buf); > if (err) { > pr_warn("%s: Unable to allocate memory for map\n", > __func__); > goto err_release_umem; > } > > - set = mr->cur_map_set; > - set->page_shift = PAGE_SHIFT; > - set->page_mask = PAGE_SIZE - 1; > - > - num_buf = 0; > - map = set->map; > + mr->page_shift = PAGE_SHIFT; > + mr->page_mask = PAGE_SIZE - 1; > > + num_buf = 0; > + map = mr->map; > if (length > 0) { > buf = map[0]->buf; > > @@ -214,29 +164,33 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, > pr_warn("%s: Unable to get virtual address\n", > __func__); > err = -ENOMEM; > - goto err_release_umem; > + goto err_cleanup_map; > } > > buf->addr = (uintptr_t)vaddr; > buf->size = PAGE_SIZE; > num_buf++; > buf++; > + > } > } > > mr->ibmr.pd = &pd->ibpd; > mr->umem = umem; > mr->access = access; > + mr->length = length; > + mr->iova = iova; > + mr->va = start; > + mr->offset = ib_umem_offset(umem); > mr->state = RXE_MR_STATE_VALID; > mr->type = IB_MR_TYPE_USER; > > - set->length = length; > - set->iova = iova; > - set->va = start; > - set->offset = ib_umem_offset(umem); > - > return 0; > > +err_cleanup_map: > + for (i = 0; i < mr->num_map; i++) > + kfree(mr->map[i]); > + kfree(mr->map); > err_release_umem: > ib_umem_release(umem); > err_out: > @@ -250,7 +204,7 @@ int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr) > /* always allow remote access for FMRs */ > rxe_mr_init(IB_ACCESS_REMOTE, mr); > > - err = rxe_mr_alloc(mr, max_pages, 1); > + err = rxe_mr_alloc(mr, max_pages); > if (err) > goto err1; > > @@ -268,24 +222,21 @@ int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr) > static void lookup_iova(struct rxe_mr *mr, u64 iova, int *m_out, int *n_out, > size_t *offset_out) > { > - struct rxe_map_set *set = mr->cur_map_set; > - size_t offset = iova - set->iova + set->offset; > + size_t offset = iova - mr->iova + mr->offset; > int map_index; > int buf_index; > u64 length; > - struct rxe_map *map; > > - if (likely(set->page_shift)) { > - *offset_out = offset & set->page_mask; > - offset >>= set->page_shift; > + if (likely(mr->page_shift)) { > + *offset_out = offset & mr->page_mask; > + offset >>= mr->page_shift; > *n_out = offset & mr->map_mask; > *m_out = offset >> mr->map_shift; > } else { > map_index = 0; > buf_index = 0; > > - map = set->map[map_index]; > - length = map->buf[buf_index].size; > + length = mr->map[map_index]->buf[buf_index].size; > > while (offset >= length) { > offset -= length; > @@ -295,8 +246,7 @@ static void lookup_iova(struct rxe_mr *mr, u64 iova, int *m_out, int *n_out, > map_index++; > buf_index = 0; > } > - map = set->map[map_index]; > - length = map->buf[buf_index].size; > + length = mr->map[map_index]->buf[buf_index].size; > } > > *m_out = map_index; > @@ -317,7 +267,7 @@ void *iova_to_vaddr(struct rxe_mr *mr, u64 iova, int length) > goto out; > } > > - if (!mr->cur_map_set) { > + if (!mr->map) { > addr = (void *)(uintptr_t)iova; > goto out; > } > @@ -330,13 +280,13 @@ void *iova_to_vaddr(struct rxe_mr *mr, u64 iova, int length) > > lookup_iova(mr, iova, &m, &n, &offset); > > - if (offset + length > mr->cur_map_set->map[m]->buf[n].size) { > + if (offset + length > mr->map[m]->buf[n].size) { > pr_warn("crosses page boundary\n"); > addr = NULL; > goto out; > } > > - addr = (void *)(uintptr_t)mr->cur_map_set->map[m]->buf[n].addr + offset; > + addr = (void *)(uintptr_t)mr->map[m]->buf[n].addr + offset; > > out: > return addr; > @@ -372,7 +322,7 @@ int rxe_mr_copy(struct rxe_mr *mr, u64 iova, void *addr, int length, > return 0; > } > > - WARN_ON_ONCE(!mr->cur_map_set); > + WARN_ON_ONCE(!mr->map); > > err = mr_check_range(mr, iova, length); > if (err) { > @@ -382,7 +332,7 @@ int rxe_mr_copy(struct rxe_mr *mr, u64 iova, void *addr, int length, > > lookup_iova(mr, iova, &m, &i, &offset); > > - map = mr->cur_map_set->map + m; > + map = mr->map + m; > buf = map[0]->buf + i; > > while (length > 0) { > @@ -628,9 +578,8 @@ int rxe_invalidate_mr(struct rxe_qp *qp, u32 rkey) > int rxe_reg_fast_mr(struct rxe_qp *qp, struct rxe_send_wqe *wqe) > { > struct rxe_mr *mr = to_rmr(wqe->wr.wr.reg.mr); > - u32 key = wqe->wr.wr.reg.key & 0xff; > + u32 key = wqe->wr.wr.reg.key; > u32 access = wqe->wr.wr.reg.access; > - struct rxe_map_set *set; > > /* user can only register MR in free state */ > if (unlikely(mr->state != RXE_MR_STATE_FREE)) { > @@ -646,36 +595,19 @@ int rxe_reg_fast_mr(struct rxe_qp *qp, struct rxe_send_wqe *wqe) > return -EINVAL; > } > > + /* user is only allowed to change key portion of l/rkey */ > + if (unlikely((mr->lkey & ~0xff) != (key & ~0xff))) { > + pr_warn("%s: key = 0x%x has wrong index mr->lkey = 0x%x\n", > + __func__, key, mr->lkey); > + return -EINVAL; > + } > + > mr->access = access; > - mr->lkey = (mr->lkey & ~0xff) | key; > - mr->rkey = (access & IB_ACCESS_REMOTE) ? mr->lkey : 0; > + mr->lkey = key; > + mr->rkey = (access & IB_ACCESS_REMOTE) ? key : 0; > + mr->iova = wqe->wr.wr.reg.mr->iova; > mr->state = RXE_MR_STATE_VALID; > > - set = mr->cur_map_set; > - mr->cur_map_set = mr->next_map_set; > - mr->cur_map_set->iova = wqe->wr.wr.reg.mr->iova; > - mr->next_map_set = set; > - > - return 0; > -} > - > -int rxe_mr_set_page(struct ib_mr *ibmr, u64 addr) > -{ > - struct rxe_mr *mr = to_rmr(ibmr); > - struct rxe_map_set *set = mr->next_map_set; > - struct rxe_map *map; > - struct rxe_phys_buf *buf; > - > - if (unlikely(set->nbuf == mr->num_buf)) > - return -ENOMEM; > - > - map = set->map[set->nbuf / RXE_BUF_PER_MAP]; > - buf = &map->buf[set->nbuf % RXE_BUF_PER_MAP]; > - > - buf->addr = addr; > - buf->size = ibmr->page_size; > - set->nbuf++; > - > return 0; > } > > @@ -695,14 +627,15 @@ int rxe_dereg_mr(struct ib_mr *ibmr, struct ib_udata *udata) > void rxe_mr_cleanup(struct rxe_pool_elem *elem) > { > struct rxe_mr *mr = container_of(elem, typeof(*mr), elem); > + int i; > > rxe_put(mr_pd(mr)); > - > ib_umem_release(mr->umem); > > - if (mr->cur_map_set) > - rxe_mr_free_map_set(mr->num_map, mr->cur_map_set); > + if (mr->map) { > + for (i = 0; i < mr->num_map; i++) > + kfree(mr->map[i]); > > - if (mr->next_map_set) > - rxe_mr_free_map_set(mr->num_map, mr->next_map_set); > + kfree(mr->map); > + } > } > diff --git a/drivers/infiniband/sw/rxe/rxe_mw.c b/drivers/infiniband/sw/rxe/rxe_mw.c > index bb6a1edaaee8..7c8ff3232234 100644 > --- a/drivers/infiniband/sw/rxe/rxe_mw.c > +++ b/drivers/infiniband/sw/rxe/rxe_mw.c > @@ -121,15 +121,15 @@ static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, > > /* C10-75 */ > if (mw->access & IB_ZERO_BASED) { > - if (unlikely(wqe->wr.wr.mw.length > mr->cur_map_set->length)) { > + if (unlikely(wqe->wr.wr.mw.length > mr->length)) { > pr_err_once( > "attempt to bind a ZB MW outside of the MR\n"); > return -EINVAL; > } > } else { > - if (unlikely((wqe->wr.wr.mw.addr < mr->cur_map_set->iova) || > + if (unlikely((wqe->wr.wr.mw.addr < mr->iova) || > ((wqe->wr.wr.mw.addr + wqe->wr.wr.mw.length) > > - (mr->cur_map_set->iova + mr->cur_map_set->length)))) { > + (mr->iova + mr->length)))) { > pr_err_once( > "attempt to bind a VA MW outside of the MR\n"); > return -EINVAL; > diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c > index 151c6280abd5..e264cf69bf55 100644 > --- a/drivers/infiniband/sw/rxe/rxe_verbs.c > +++ b/drivers/infiniband/sw/rxe/rxe_verbs.c > @@ -978,26 +978,41 @@ static struct ib_mr *rxe_alloc_mr(struct ib_pd *ibpd, enum ib_mr_type mr_type, > return ERR_PTR(err); > } > > -/* build next_map_set from scatterlist > - * The IB_WR_REG_MR WR will swap map_sets > - */ > +static int rxe_set_page(struct ib_mr *ibmr, u64 addr) > +{ > + struct rxe_mr *mr = to_rmr(ibmr); > + struct rxe_map *map; > + struct rxe_phys_buf *buf; > + > + if (unlikely(mr->nbuf == mr->num_buf)) > + return -ENOMEM; > + > + map = mr->map[mr->nbuf / RXE_BUF_PER_MAP]; > + buf = &map->buf[mr->nbuf % RXE_BUF_PER_MAP]; > + > + buf->addr = addr; > + buf->size = ibmr->page_size; > + mr->nbuf++; > + > + return 0; > +} > + > static int rxe_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, > int sg_nents, unsigned int *sg_offset) > { > struct rxe_mr *mr = to_rmr(ibmr); > - struct rxe_map_set *set = mr->next_map_set; > int n; > > - set->nbuf = 0; > + mr->nbuf = 0; > > - n = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, rxe_mr_set_page); > + n = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, rxe_set_page); > > - set->va = ibmr->iova; > - set->iova = ibmr->iova; > - set->length = ibmr->length; > - set->page_shift = ilog2(ibmr->page_size); > - set->page_mask = ibmr->page_size - 1; > - set->offset = set->iova & set->page_mask; > + mr->va = ibmr->iova; > + mr->iova = ibmr->iova; > + mr->length = ibmr->length; > + mr->page_shift = ilog2(ibmr->page_size); > + mr->page_mask = ibmr->page_size - 1; > + mr->offset = mr->iova & mr->page_mask; > > return n; > } > diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h > index 628e40c1714b..4108dc6565e9 100644 > --- a/drivers/infiniband/sw/rxe/rxe_verbs.h > +++ b/drivers/infiniband/sw/rxe/rxe_verbs.h > @@ -286,17 +286,6 @@ struct rxe_map { > struct rxe_phys_buf buf[RXE_BUF_PER_MAP]; > }; > > -struct rxe_map_set { > - struct rxe_map **map; > - u64 va; > - u64 iova; > - size_t length; > - u32 offset; > - u32 nbuf; > - int page_shift; > - int page_mask; > -}; > - > static inline int rkey_is_mw(u32 rkey) > { > u32 index = rkey >> 8; > @@ -314,20 +303,26 @@ struct rxe_mr { > u32 rkey; > enum rxe_mr_state state; > enum ib_mr_type type; > + u64 va; > + u64 iova; > + size_t length; > + u32 offset; > int access; > > + int page_shift; > + int page_mask; > int map_shift; > int map_mask; > > u32 num_buf; > + u32 nbuf; > > u32 max_buf; > u32 num_map; > > atomic_t num_mw; > > - struct rxe_map_set *cur_map_set; > - struct rxe_map_set *next_map_set; > + struct rxe_map **map; > }; > > enum rxe_mw_state { > -- There seems to be some problem with this email/patch. Downloading it generates a file without code but something else. The raw version below also looks mangled. https://lore.kernel.org/linux-rdma/20220720035700.2076987-1-lizhijian@xxxxxxxxxxx/raw > 2.31.1