Commit 2638a323 authored by Dakshaja Uppalapati's avatar Dakshaja Uppalapati Committed by Jason Gunthorpe
Browse files

RDMA/iw_cxgb4: Fix refcount underflow while destroying cqs. 

Previous atomic increment/decrement logic expects the atomic count to be
'0' after the final decrement.

Replacing atomic count with refcount does not allow that, as
refcount_dec() considers count of 1 as underflow and triggers a kernel
splat.

Fix the current refcount logic by using the usual pattern of decrementing
the refcount and test if it is '0' on the final deref in
c4iw_destroy_cq(). Use wait_for_completion() instead of wait_event().

Fixes: 7183451f ("RDMA/cxgb4: Use refcount_t instead of atomic_t for reference counting")
Link: https://lore.kernel.org/r/1628167412-12114-1-git-send-email-dakshaja@chelsio.com


Signed-off-by: default avatarDakshaja Uppalapati <dakshaja@chelsio.com>
Reviewed-by: default avatarPotnuri Bharat Teja <bharat@chelsio.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
parent 8b436a99

drivers/infiniband/hw/cxgb4/cq.c

+9 −3
Original line number Diff line number Diff line
@@ -967,6 +967,12 @@ int c4iw_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc) 
	return !err || err == -ENODATA ? npolled : err;

}



void c4iw_cq_rem_ref(struct c4iw_cq *chp)

{

	if (refcount_dec_and_test(&chp->refcnt))

		complete(&chp->cq_rel_comp);

}



int c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata)

{

	struct c4iw_cq *chp;
@@ -976,8 +982,8 @@ int c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) 
	chp = to_c4iw_cq(ib_cq);



	xa_erase_irq(&chp->rhp->cqs, chp->cq.cqid);

	refcount_dec(&chp->refcnt);

	wait_event(chp->wait, !refcount_read(&chp->refcnt));

	c4iw_cq_rem_ref(chp);

	wait_for_completion(&chp->cq_rel_comp);



	ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext,

					     ibucontext);
@@ -1081,7 +1087,7 @@ int c4iw_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, 
	spin_lock_init(&chp->lock);

	spin_lock_init(&chp->comp_handler_lock);

	refcount_set(&chp->refcnt, 1);

	init_waitqueue_head(&chp->wait);

	init_completion(&chp->cq_rel_comp);

	ret = xa_insert_irq(&rhp->cqs, chp->cq.cqid, chp, GFP_KERNEL);

	if (ret)

		goto err_destroy_cq;

drivers/infiniband/hw/cxgb4/ev.c

+2 −4
Original line number Diff line number Diff line
@@ -213,8 +213,7 @@ void c4iw_ev_dispatch(struct c4iw_dev *dev, struct t4_cqe *err_cqe) 
		break;

	}

done:

	if (refcount_dec_and_test(&chp->refcnt))

		wake_up(&chp->wait);

	c4iw_cq_rem_ref(chp);

	c4iw_qp_rem_ref(&qhp->ibqp);

out:

	return;
@@ -234,8 +233,7 @@ int c4iw_ev_handler(struct c4iw_dev *dev, u32 qid) 
		spin_lock_irqsave(&chp->comp_handler_lock, flag);

		(*chp->ibcq.comp_handler)(&chp->ibcq, chp->ibcq.cq_context);

		spin_unlock_irqrestore(&chp->comp_handler_lock, flag);

		if (refcount_dec_and_test(&chp->refcnt))

			wake_up(&chp->wait);

		c4iw_cq_rem_ref(chp);

	} else {

		pr_debug("unknown cqid 0x%x\n", qid);

		xa_unlock_irqrestore(&dev->cqs, flag);

drivers/infiniband/hw/cxgb4/iw_cxgb4.h

+2 −1
Original line number Diff line number Diff line
@@ -428,7 +428,7 @@ struct c4iw_cq { 
	spinlock_t lock;

	spinlock_t comp_handler_lock;

	refcount_t refcnt;

	wait_queue_head_t wait;

	struct completion cq_rel_comp;

	struct c4iw_wr_wait *wr_waitp;

};
@@ -979,6 +979,7 @@ struct ib_mr *c4iw_reg_user_mr(struct ib_pd *pd, u64 start, 
struct ib_mr *c4iw_get_dma_mr(struct ib_pd *pd, int acc);

int c4iw_dereg_mr(struct ib_mr *ib_mr, struct ib_udata *udata);

int c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata);

void c4iw_cq_rem_ref(struct c4iw_cq *chp);

int c4iw_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,

		   struct ib_udata *udata);

int c4iw_arm_cq(struct ib_cq *ibcq, enum ib_cq_notify_flags flags);