Commit 7d51783d authored by Jason Gunthorpe's avatar Jason Gunthorpe
Browse files

RDMA/hns: Fix xarray race in hns_roce_create_qp_common() 

Similar to the SRQ case the hr_qp is stored in the xarray before it is
fully initialized. Unlike the SRQ case the error unwinds do not wait for
the completion so keep the refcount 0 until the function succeeds.

Fixes: 9a443537 ("IB/hns: Add driver files for hns RoCE driver")
Link: https://patch.msgid.link/r/14-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com


Suggested-by: default avatarJunxian Huang <huangjunxian6@hisilicon.com>
Reviewed-by: default avatarJunxian Huang <huangjunxian6@hisilicon.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
parent 48973c6c

drivers/infiniband/hw/hns/hns_roce_qp.c

+3 −3
Original line number Diff line number Diff line
@@ -47,8 +47,8 @@ static struct hns_roce_qp *hns_roce_qp_lookup(struct hns_roce_dev *hr_dev, 


	xa_lock_irqsave(&hr_dev->qp_table_xa, flags);

	qp = __hns_roce_qp_lookup(hr_dev, qpn);

	if (qp)

		refcount_inc(&qp->refcount);

	if (qp && !refcount_inc_not_zero(&qp->refcount))

		qp = NULL;

	xa_unlock_irqrestore(&hr_dev->qp_table_xa, flags);



	if (!qp)
@@ -1251,8 +1251,8 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev, 


	hr_qp->ibqp.qp_num = hr_qp->qpn;

	hr_qp->event = hns_roce_ib_qp_event;

	refcount_set(&hr_qp->refcount, 1);

	init_completion(&hr_qp->free);

	refcount_set_release(&hr_qp->refcount, 1);



	return 0;