| Message ID | 1550740408-25003-1-git-send-email-devesh.sharma@broadcom.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [for-next] bnxt_re: fix the regression due to changes in alloc_pbl | expand |
On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: > In the backdrop of ODP changes recently being done in the > kernel ib stack and drivers, there was a regression added > in the __alloc_pbl path. The change left bnxt_re in DOA > state in for-next branch. > > Fixing the regression to avoid the host crash when a user > space object is created. Restricting the unconditional > access to hwq.pg_arr when hwq is initialized for a user > space object. > > Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: > Use for_each_sg_dma_page iterator on umem SGL") > > Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> No extra space between Fixes and SOB and please don't break Fixes line. > --- > drivers/infiniband/hw/bnxt_re/ib_verbs.c | 13 +++++++++---- > drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++-------------- > drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +---- > 3 files changed, 16 insertions(+), 22 deletions(-) > > diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > index 2ed7786..6150a2f 100644 > --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c > +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > @@ -793,9 +793,11 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > { > struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); > struct bnxt_re_dev *rdev = qp->rdev; > - int rc; > + struct ib_pd *ibpd; > unsigned int flags; > + int rc; > > + ibpd = qp->ib_qp.pd; > bnxt_qplib_flush_cqn_wq(&qp->qplib_qp); > rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); > if (rc) { > @@ -803,9 +805,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > return rc; > } > > - flags = bnxt_re_lock_cqs(qp); > - bnxt_qplib_clean_qp(&qp->qplib_qp); > - bnxt_re_unlock_cqs(qp, flags); > + if (!ibpd->uobject) { > + flags = bnxt_re_lock_cqs(qp); > + bnxt_qplib_clean_qp(&qp->qplib_qp); > + bnxt_re_unlock_cqs(qp, flags); > + } > + > bnxt_qplib_free_qp_res(&rdev->qplib_res, &qp->qplib_qp); > > if (ib_qp->qp_type == IB_QPT_GSI && rdev->qp1_sqp) { > diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > index 77eb3d5..71c34d5 100644 > --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c > +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > @@ -862,18 +862,18 @@ int bnxt_qplib_create_qp1(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > { > struct bnxt_qplib_rcfw *rcfw = res->rcfw; > - struct sq_send *hw_sq_send_hdr, **hw_sq_send_ptr; > - struct cmdq_create_qp req; > - struct creq_create_qp_resp resp; > - struct bnxt_qplib_pbl *pbl; > - struct sq_psn_search **psn_search_ptr; > unsigned long int psn_search, poff = 0; > + struct sq_psn_search **psn_search_ptr; > struct bnxt_qplib_q *sq = &qp->sq; > struct bnxt_qplib_q *rq = &qp->rq; > int i, rc, req_size, psn_sz = 0; > + struct sq_send **hw_sq_send_ptr; > + struct creq_create_qp_resp resp; > struct bnxt_qplib_hwq *xrrq; > u16 cmd_flags = 0, max_ssge; > - u32 sw_prod, qp_flags = 0; > + struct cmdq_create_qp req; > + struct bnxt_qplib_pbl *pbl; > + u32 qp_flags = 0; > u16 max_rsge; > > RCFW_CMD_PREP(req, CREATE_QP, cmd_flags); > @@ -948,14 +948,6 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > CMDQ_CREATE_QP_SQ_PG_SIZE_PG_1G : > CMDQ_CREATE_QP_SQ_PG_SIZE_PG_4K); > > - /* initialize all SQ WQEs to LOCAL_INVALID (sq prep for hw fetch) */ > - hw_sq_send_ptr = (struct sq_send **)sq->hwq.pbl_ptr; > - for (sw_prod = 0; sw_prod < sq->hwq.max_elements; sw_prod++) { > - hw_sq_send_hdr = &hw_sq_send_ptr[get_sqe_pg(sw_prod)] > - [get_sqe_idx(sw_prod)]; > - hw_sq_send_hdr->wqe_type = SQ_BASE_WQE_TYPE_LOCAL_INVALID; > - } > - > if (qp->scq) > req.scq_cid = cpu_to_le32(qp->scq->id); > > diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c > index d08b9d9..0bc24f9 100644 > --- a/drivers/infiniband/hw/bnxt_re/qplib_res.c > +++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c > @@ -119,11 +119,8 @@ static int __alloc_pbl(struct pci_dev *pdev, struct bnxt_qplib_pbl *pbl, > for_each_sg_dma_page (sghead, &sg_iter, pages, 0) { > pbl->pg_map_arr[i] = sg_page_iter_dma_address(&sg_iter); > pbl->pg_arr[i] = NULL; > - if (!pbl->pg_arr[i]) > - goto fail; > - > - i++; > pbl->pg_count++; > + i++; Change of "i++" is unrelated. > } > } > > -- > 1.8.3.1 >
On 21-Feb-19 14:02, Leon Romanovsky wrote: > On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: >> In the backdrop of ODP changes recently being done in the >> kernel ib stack and drivers, there was a regression added >> in the __alloc_pbl path. The change left bnxt_re in DOA >> state in for-next branch. >> >> Fixing the regression to avoid the host crash when a user >> space object is created. Restricting the unconditional >> access to hwq.pg_arr when hwq is initialized for a user >> space object. >> >> Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: >> Use for_each_sg_dma_page iterator on umem SGL") >> >> Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> > > No extra space between Fixes and SOB and please don't break Fixes line. You should remove the "commit" as well.
On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: > In the backdrop of ODP changes recently being done in the The changes were not related to ODP > kernel ib stack and drivers, there was a regression added > in the __alloc_pbl path. The change left bnxt_re in DOA > state in for-next branch. > > Fixing the regression to avoid the host crash when a user > space object is created. Restricting the unconditional > access to hwq.pg_arr when hwq is initialized for a user > space object. .. kernel space object? Isn't it? > Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: > Use for_each_sg_dma_page iterator on umem SGL") > > Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> > drivers/infiniband/hw/bnxt_re/ib_verbs.c | 13 +++++++++---- > drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++-------------- > drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +---- > 3 files changed, 16 insertions(+), 22 deletions(-) > > diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > index 2ed7786..6150a2f 100644 > +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > @@ -793,9 +793,11 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > { > struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); > struct bnxt_re_dev *rdev = qp->rdev; > - int rc; > + struct ib_pd *ibpd; > unsigned int flags; > + int rc; > > + ibpd = qp->ib_qp.pd; > bnxt_qplib_flush_cqn_wq(&qp->qplib_qp); > rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); > if (rc) { > @@ -803,9 +805,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > return rc; > } > > - flags = bnxt_re_lock_cqs(qp); > - bnxt_qplib_clean_qp(&qp->qplib_qp); > - bnxt_re_unlock_cqs(qp, flags); > + if (!ibpd->uobject) { Looks like the qp needs to be tested for 'userness', not the PD. Use if (!rdma_is_kernel_res(&qp->res)) Jason
On Thu, Feb 21, 2019 at 5:32 PM Leon Romanovsky <leon@kernel.org> wrote: > > On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: > > In the backdrop of ODP changes recently being done in the > > kernel ib stack and drivers, there was a regression added > > in the __alloc_pbl path. The change left bnxt_re in DOA > > state in for-next branch. > > > > Fixing the regression to avoid the host crash when a user > > space object is created. Restricting the unconditional > > access to hwq.pg_arr when hwq is initialized for a user > > space object. > > > > Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: > > Use for_each_sg_dma_page iterator on umem SGL") > > > > Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> > > No extra space between Fixes and SOB and please don't break Fixes line. V2 will have the fix. > > > --- > > drivers/infiniband/hw/bnxt_re/ib_verbs.c | 13 +++++++++---- > > drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++-------------- > > drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +---- > > 3 files changed, 16 insertions(+), 22 deletions(-) > > > > diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > index 2ed7786..6150a2f 100644 > > --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > @@ -793,9 +793,11 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > > { > > struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); > > struct bnxt_re_dev *rdev = qp->rdev; > > - int rc; > > + struct ib_pd *ibpd; > > unsigned int flags; > > + int rc; > > > > + ibpd = qp->ib_qp.pd; > > bnxt_qplib_flush_cqn_wq(&qp->qplib_qp); > > rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); > > if (rc) { > > @@ -803,9 +805,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > > return rc; > > } > > > > - flags = bnxt_re_lock_cqs(qp); > > - bnxt_qplib_clean_qp(&qp->qplib_qp); > > - bnxt_re_unlock_cqs(qp, flags); > > + if (!ibpd->uobject) { > > + flags = bnxt_re_lock_cqs(qp); > > + bnxt_qplib_clean_qp(&qp->qplib_qp); > > + bnxt_re_unlock_cqs(qp, flags); > > + } > > + > > bnxt_qplib_free_qp_res(&rdev->qplib_res, &qp->qplib_qp); > > > > if (ib_qp->qp_type == IB_QPT_GSI && rdev->qp1_sqp) { > > diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > > index 77eb3d5..71c34d5 100644 > > --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c > > +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c > > @@ -862,18 +862,18 @@ int bnxt_qplib_create_qp1(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > > int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > > { > > struct bnxt_qplib_rcfw *rcfw = res->rcfw; > > - struct sq_send *hw_sq_send_hdr, **hw_sq_send_ptr; > > - struct cmdq_create_qp req; > > - struct creq_create_qp_resp resp; > > - struct bnxt_qplib_pbl *pbl; > > - struct sq_psn_search **psn_search_ptr; > > unsigned long int psn_search, poff = 0; > > + struct sq_psn_search **psn_search_ptr; > > struct bnxt_qplib_q *sq = &qp->sq; > > struct bnxt_qplib_q *rq = &qp->rq; > > int i, rc, req_size, psn_sz = 0; > > + struct sq_send **hw_sq_send_ptr; > > + struct creq_create_qp_resp resp; > > struct bnxt_qplib_hwq *xrrq; > > u16 cmd_flags = 0, max_ssge; > > - u32 sw_prod, qp_flags = 0; > > + struct cmdq_create_qp req; > > + struct bnxt_qplib_pbl *pbl; > > + u32 qp_flags = 0; > > u16 max_rsge; > > > > RCFW_CMD_PREP(req, CREATE_QP, cmd_flags); > > @@ -948,14 +948,6 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) > > CMDQ_CREATE_QP_SQ_PG_SIZE_PG_1G : > > CMDQ_CREATE_QP_SQ_PG_SIZE_PG_4K); > > > > - /* initialize all SQ WQEs to LOCAL_INVALID (sq prep for hw fetch) */ > > - hw_sq_send_ptr = (struct sq_send **)sq->hwq.pbl_ptr; > > - for (sw_prod = 0; sw_prod < sq->hwq.max_elements; sw_prod++) { > > - hw_sq_send_hdr = &hw_sq_send_ptr[get_sqe_pg(sw_prod)] > > - [get_sqe_idx(sw_prod)]; > > - hw_sq_send_hdr->wqe_type = SQ_BASE_WQE_TYPE_LOCAL_INVALID; > > - } > > - > > if (qp->scq) > > req.scq_cid = cpu_to_le32(qp->scq->id); > > > > diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c > > index d08b9d9..0bc24f9 100644 > > --- a/drivers/infiniband/hw/bnxt_re/qplib_res.c > > +++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c > > @@ -119,11 +119,8 @@ static int __alloc_pbl(struct pci_dev *pdev, struct bnxt_qplib_pbl *pbl, > > for_each_sg_dma_page (sghead, &sg_iter, pages, 0) { > > pbl->pg_map_arr[i] = sg_page_iter_dma_address(&sg_iter); > > pbl->pg_arr[i] = NULL; > > - if (!pbl->pg_arr[i]) > > - goto fail; > > - > > - i++; > > pbl->pg_count++; > > + i++; > > Change of "i++" is unrelated. > > > } > > } > > > > -- > > 1.8.3.1 > >
On Thu, Feb 21, 2019 at 5:39 PM Gal Pressman <galpress@amazon.com> wrote: > > On 21-Feb-19 14:02, Leon Romanovsky wrote: > > On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: > >> In the backdrop of ODP changes recently being done in the > >> kernel ib stack and drivers, there was a regression added > >> in the __alloc_pbl path. The change left bnxt_re in DOA > >> state in for-next branch. > >> > >> Fixing the regression to avoid the host crash when a user > >> space object is created. Restricting the unconditional > >> access to hwq.pg_arr when hwq is initialized for a user > >> space object. > >> > >> Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: > >> Use for_each_sg_dma_page iterator on umem SGL") > >> > >> Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> > > > > No extra space between Fixes and SOB and please don't break Fixes line. > > You should remove the "commit" as well. Sure
On Fri, Feb 22, 2019 at 4:35 AM Jason Gunthorpe <jgg@ziepe.ca> wrote: > > On Thu, Feb 21, 2019 at 04:13:28AM -0500, Devesh Sharma wrote: > > In the backdrop of ODP changes recently being done in the > > The changes were not related to ODP Oh! I thought this was a pre-cursor to ODP changes. I will change anyways. > > > kernel ib stack and drivers, there was a regression added > > in the __alloc_pbl path. The change left bnxt_re in DOA > > state in for-next branch. > > > > Fixing the regression to avoid the host crash when a user > > space object is created. Restricting the unconditional > > access to hwq.pg_arr when hwq is initialized for a user > > space object. > > .. kernel space object? Isn't it? Kernel object takes different path and do not traverse the dma-sg-list. > > > Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: > > Use for_each_sg_dma_page iterator on umem SGL") > > > > Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> > > drivers/infiniband/hw/bnxt_re/ib_verbs.c | 13 +++++++++---- > > drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++-------------- > > drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +---- > > 3 files changed, 16 insertions(+), 22 deletions(-) > > > > diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > index 2ed7786..6150a2f 100644 > > +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > @@ -793,9 +793,11 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > > { > > struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); > > struct bnxt_re_dev *rdev = qp->rdev; > > - int rc; > > + struct ib_pd *ibpd; > > unsigned int flags; > > + int rc; > > > > + ibpd = qp->ib_qp.pd; > > bnxt_qplib_flush_cqn_wq(&qp->qplib_qp); > > rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); > > if (rc) { > > @@ -803,9 +805,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) > > return rc; > > } > > > > - flags = bnxt_re_lock_cqs(qp); > > - bnxt_qplib_clean_qp(&qp->qplib_qp); > > - bnxt_re_unlock_cqs(qp, flags); > > + if (!ibpd->uobject) { > > Looks like the qp needs to be tested for 'userness', not the PD. Use > > if (!rdma_is_kernel_res(&qp->res)) > Sure. > Jason
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index 2ed7786..6150a2f 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -793,9 +793,11 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) { struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); struct bnxt_re_dev *rdev = qp->rdev; - int rc; + struct ib_pd *ibpd; unsigned int flags; + int rc; + ibpd = qp->ib_qp.pd; bnxt_qplib_flush_cqn_wq(&qp->qplib_qp); rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); if (rc) { @@ -803,9 +805,12 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_qp) return rc; } - flags = bnxt_re_lock_cqs(qp); - bnxt_qplib_clean_qp(&qp->qplib_qp); - bnxt_re_unlock_cqs(qp, flags); + if (!ibpd->uobject) { + flags = bnxt_re_lock_cqs(qp); + bnxt_qplib_clean_qp(&qp->qplib_qp); + bnxt_re_unlock_cqs(qp, flags); + } + bnxt_qplib_free_qp_res(&rdev->qplib_res, &qp->qplib_qp); if (ib_qp->qp_type == IB_QPT_GSI && rdev->qp1_sqp) { diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c index 77eb3d5..71c34d5 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c @@ -862,18 +862,18 @@ int bnxt_qplib_create_qp1(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) { struct bnxt_qplib_rcfw *rcfw = res->rcfw; - struct sq_send *hw_sq_send_hdr, **hw_sq_send_ptr; - struct cmdq_create_qp req; - struct creq_create_qp_resp resp; - struct bnxt_qplib_pbl *pbl; - struct sq_psn_search **psn_search_ptr; unsigned long int psn_search, poff = 0; + struct sq_psn_search **psn_search_ptr; struct bnxt_qplib_q *sq = &qp->sq; struct bnxt_qplib_q *rq = &qp->rq; int i, rc, req_size, psn_sz = 0; + struct sq_send **hw_sq_send_ptr; + struct creq_create_qp_resp resp; struct bnxt_qplib_hwq *xrrq; u16 cmd_flags = 0, max_ssge; - u32 sw_prod, qp_flags = 0; + struct cmdq_create_qp req; + struct bnxt_qplib_pbl *pbl; + u32 qp_flags = 0; u16 max_rsge; RCFW_CMD_PREP(req, CREATE_QP, cmd_flags); @@ -948,14 +948,6 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) CMDQ_CREATE_QP_SQ_PG_SIZE_PG_1G : CMDQ_CREATE_QP_SQ_PG_SIZE_PG_4K); - /* initialize all SQ WQEs to LOCAL_INVALID (sq prep for hw fetch) */ - hw_sq_send_ptr = (struct sq_send **)sq->hwq.pbl_ptr; - for (sw_prod = 0; sw_prod < sq->hwq.max_elements; sw_prod++) { - hw_sq_send_hdr = &hw_sq_send_ptr[get_sqe_pg(sw_prod)] - [get_sqe_idx(sw_prod)]; - hw_sq_send_hdr->wqe_type = SQ_BASE_WQE_TYPE_LOCAL_INVALID; - } - if (qp->scq) req.scq_cid = cpu_to_le32(qp->scq->id); diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c index d08b9d9..0bc24f9 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_res.c +++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c @@ -119,11 +119,8 @@ static int __alloc_pbl(struct pci_dev *pdev, struct bnxt_qplib_pbl *pbl, for_each_sg_dma_page (sghead, &sg_iter, pages, 0) { pbl->pg_map_arr[i] = sg_page_iter_dma_address(&sg_iter); pbl->pg_arr[i] = NULL; - if (!pbl->pg_arr[i]) - goto fail; - - i++; pbl->pg_count++; + i++; } }
In the backdrop of ODP changes recently being done in the kernel ib stack and drivers, there was a regression added in the __alloc_pbl path. The change left bnxt_re in DOA state in for-next branch. Fixing the regression to avoid the host crash when a user space object is created. Restricting the unconditional access to hwq.pg_arr when hwq is initialized for a user space object. Fixes: commit 161ebe2498d4 ("RDMA/bnxt_re: Use for_each_sg_dma_page iterator on umem SGL") Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com> --- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 13 +++++++++---- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 20 ++++++-------------- drivers/infiniband/hw/bnxt_re/qplib_res.c | 5 +---- 3 files changed, 16 insertions(+), 22 deletions(-)