On Fri, Feb 22, 2019 at 07:16:19AM -0500, Devesh Sharma wrote:
> While adding the use of for_each_sg_dma_page iterator for
> Brodcom's rdma driver, there was a regression added in the
> __alloc_pbl path. The change left bnxt_re in DOA state in
> for-next branch.
>
> Fixing the regression to avoid the host crash when a user
> space object is created. Restricting the unconditional
> access to hwq.pg_arr when hwq is initialized for user space
> objects.
>
> Fixes: 161ebe2498d4 ("RDMA/bnxt_re: Use for_each_sg_dma_page iterator on umem SGL")
> Reported-by: Gal Pressman <galpress@xxxxxxxxxx>
> Signed-off-by: Selvin Xavier <selvin.xavier@xxxxxxxxxxxx>
> Signed-off-by: Devesh Sharma <devesh.sharma@xxxxxxxxxxxx>
> drivers/infiniband/hw/bnxt_re/ib_verbs.c | 11 +++++++----
> drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++--------------
> drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +----
> 3 files changed, 14 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> index 83bf6f5d..fc65751 100644
> +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> @@ -793,8 +793,8 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp)
> {
> struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp);
> struct bnxt_re_dev *rdev = qp->rdev;
> - int rc;
> unsigned int flags;
> + int rc;
>
> bnxt_qplib_flush_cqn_wq(&qp->qplib_qp);
> rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp);
> @@ -803,9 +803,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp)
> return rc;
> }
>
> - flags = bnxt_re_lock_cqs(qp);
> - bnxt_qplib_clean_qp(&qp->qplib_qp);
> - bnxt_re_unlock_cqs(qp, flags);
> + if (!rdma_is_kernel_res(&qp->res)) {
So this doesn't compile:
drivers/infiniband/hw/bnxt_re/ib_verbs.c:806:31: error: ‘struct bnxt_re_qp’ has no member named ‘res’; did you mean ‘rdev’?
I fixed it and applied it to for-next, but you should probably test
things.
Jason
