Commit 01407704 authored Dec 23, 2025 by Richard Genoud Committed by Christophe Leroy (CS GROUP) Feb 23, 2026

soc: fsl: qbman: fix race condition in qman_destroy_fq



When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.

Indeed, we can have:
         Thread A                             Thread B
    qman_destroy_fq()                    qman_create_fq()
      qman_release_fqid()
        qman_shutdown_fq()
        gen_pool_free()
           -- At this point, the fqid is available again --
                                           qman_alloc_fqid()
           -- so, we can get the just-freed fqid in thread B --
                                           fq->fqid = fqid;
                                           fq->idx = fqid * 2;
                                           WARN_ON(fq_table[fq->idx]);
                                           fq_table[fq->idx] = fq;
     fq_table[fq->idx] = NULL;

And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.

To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb().

Fixes: c535e923 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com


Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>

parent 6de23f81

drivers/soc/fsl/qbman/qman.c

+22 −2

Original line number	Diff line number	Diff line
		@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);

		void qman_destroy_fq(struct qman_fq *fq)
		{
		int leaked;

		/*
		* We don't need to lock the FQ as it is a pre-condition that the FQ be
		* quiesced. Instead, run some checks.
		@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
		switch (fq->state) {
		case qman_fq_state_parked:
		case qman_fq_state_oos:
		if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
		qman_release_fqid(fq->fqid);
		/*
		* There's a race condition here on releasing the fqid,
		* setting the fq_table to NULL, and freeing the fqid.
		* To prevent it, this order should be respected:
		*/
		if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
		leaked = qman_shutdown_fq(fq->fqid);
		if (leaked)
		pr_debug("FQID %d leaked\n", fq->fqid);
		}

		DPAA_ASSERT(fq_table[fq->idx]);
		fq_table[fq->idx] = NULL;

		if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
		/*
		* fq_table[fq->idx] should be set to null before
		* freeing fq->fqid otherwise it could by allocated by
		* qman_alloc_fqid() while still being !NULL
		*/
		smp_wmb();
		gen_pool_free(qm_fqalloc, fq->fqid \| DPAA_GENALLOC_OFF, 1);
		}
		return;
		default:
		break;