From: Jason Gunthorpe <jgg@nvidia.com>
To: Abhijit Gangurde <abhijit.gangurde@amd.com>,
Allen Hubbe <allen.hubbe@amd.com>,
Broadcom internal kernel review list
<bcm-kernel-feedback-list@broadcom.com>,
Bernard Metzler <bernard.metzler@linux.dev>,
Potnuri Bharat Teja <bharat@chelsio.com>,
Bryan Tan <bryan-bt.tan@broadcom.com>,
Cheng Xu <chengyou@linux.alibaba.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Gal Pressman <gal.pressman@linux.dev>,
Junxian Huang <huangjunxian6@hisilicon.com>,
Kai Shen <kaishen@linux.alibaba.com>,
Kalesh AP <kalesh-anakkur.purayil@broadcom.com>,
Konstantin Taranov <kotaranov@microsoft.com>,
Krzysztof Czurylo <krzysztof.czurylo@intel.com>,
Leon Romanovsky <leon@kernel.org>,
linux-hyperv@vger.kernel.org, linux-rdma@vger.kernel.org,
Long Li <longli@microsoft.com>,
Michal Kalderon <mkalderon@marvell.com>,
Michael Margolin <mrgolin@amazon.com>,
Nelson Escobar <neescoba@cisco.com>,
Satish Kharat <satishkh@cisco.com>,
Selvin Xavier <selvin.xavier@broadcom.com>,
Yossi Leybovich <sleybo@amazon.com>,
Chengchang Tang <tangchengchang@huawei.com>,
Tatyana Nikolova <tatyana.e.nikolova@intel.com>,
Vishnu Dasa <vishnu.dasa@broadcom.com>,
Yishai Hadas <yishaih@nvidia.com>
Cc: Adit Ranadive <aditr@vmware.com>,
Aditya Sarwade <asarwade@vmware.com>,
Bryan Tan <bryantan@vmware.com>, Dexuan Cui <decui@microsoft.com>,
Doug Ledford <dledford@redhat.com>,
George Zhang <georgezhang@vmware.com>,
Jorgen Hansen <jhansen@vmware.com>,
Leon Romanovsky <leonro@mellanox.com>,
Parav Pandit <parav.pandit@emulex.com>,
patches@lists.linux.dev, Roland Dreier <roland@purestorage.com>,
Roland Dreier <rolandd@cisco.com>,
Ajay Sharma <sharmaajay@microsoft.com>,
stable@vger.kernel.org
Subject: [PATCH v2 06/16] RDMA/hns: Fix xarray race in hns_roce_create_srq()
Date: Mon, 6 Apr 2026 14:40:31 -0300 [thread overview]
Message-ID: <6-v2-1c49eeb88c48+91-rdma_udata_rep_jgg@nvidia.com> (raw)
In-Reply-To: <0-v2-1c49eeb88c48+91-rdma_udata_rep_jgg@nvidia.com>
Sashiko points out that once the srq memory is stored into the xarray by
alloc_srqc() it can immediately be looked up by:
xa_lock(&srq_table->xa);
srq = xa_load(&srq_table->xa, srqn & (hr_dev->caps.num_srqs - 1));
if (srq)
refcount_inc(&srq->refcount);
xa_unlock(&srq_table->xa);
Which will fail refcount debug because the refcount is 0 and then crash:
srq->event(srq, event_type);
Because event is NULL.
Use refcount_inc_not_zero() instead to ensure a partially prepared srq is
never retrieved from the event handler and fix the ordering of the
initialization so refcount becomes 1 only after it is fully ready.
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=3
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/infiniband/hw/hns/hns_roce_srq.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c
index cb848e8e6bbd76..d6201ddde0292a 100644
--- a/drivers/infiniband/hw/hns/hns_roce_srq.c
+++ b/drivers/infiniband/hw/hns/hns_roce_srq.c
@@ -16,8 +16,8 @@ void hns_roce_srq_event(struct hns_roce_dev *hr_dev, u32 srqn, int event_type)
xa_lock(&srq_table->xa);
srq = xa_load(&srq_table->xa, srqn & (hr_dev->caps.num_srqs - 1));
- if (srq)
- refcount_inc(&srq->refcount);
+ if (srq && !refcount_inc_not_zero(&srq->refcount))
+ srq = NULL;
xa_unlock(&srq_table->xa);
if (!srq) {
@@ -481,8 +481,8 @@ int hns_roce_create_srq(struct ib_srq *ib_srq,
}
srq->event = hns_roce_ib_srq_event;
- refcount_set(&srq->refcount, 1);
init_completion(&srq->free);
+ refcount_set(&srq->refcount, 1);
return 0;
--
2.43.0
next prev parent reply other threads:[~2026-04-06 17:40 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 17:40 [PATCH v2 00/16] Convert all drivers to the new udata response flow Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 01/16] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 02/16] RDMA/ocrdma: Clarify the mm_head searching Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 03/16] RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 04/16] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 05/16] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Jason Gunthorpe
2026-04-06 17:40 ` Jason Gunthorpe [this message]
2026-04-07 13:39 ` [PATCH v2 06/16] RDMA/hns: Fix xarray race in hns_roce_create_srq() Junxian Huang
2026-04-07 14:03 ` Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 07/16] RDMA: Use ib_is_udata_in_empty() for places calling ib_is_udata_cleared() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 08/16] IB/rdmavt: Don't abuse udata and ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 09/16] RDMA: Convert drivers using min to ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 10/16] RDMA: Convert drivers using sizeof() " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 11/16] RDMA/cxgb4: Convert " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 12/16] RDMA/qedr: Replace qedr_ib_copy_to_udata() with ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 13/16] RDMA/mlx: Replace response_len " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 14/16] RDMA: Use proper driver data response structs instead of open coding Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 15/16] RDMA: Add missed = {} initialization to uresp structs Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 16/16] RDMA: Replace memset with = {} pattern for ib_respond_udata() Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6-v2-1c49eeb88c48+91-rdma_udata_rep_jgg@nvidia.com \
--to=jgg@nvidia.com \
--cc=abhijit.gangurde@amd.com \
--cc=aditr@vmware.com \
--cc=allen.hubbe@amd.com \
--cc=asarwade@vmware.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=bernard.metzler@linux.dev \
--cc=bharat@chelsio.com \
--cc=bryan-bt.tan@broadcom.com \
--cc=bryantan@vmware.com \
--cc=chengyou@linux.alibaba.com \
--cc=decui@microsoft.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=dledford@redhat.com \
--cc=gal.pressman@linux.dev \
--cc=georgezhang@vmware.com \
--cc=huangjunxian6@hisilicon.com \
--cc=jhansen@vmware.com \
--cc=kaishen@linux.alibaba.com \
--cc=kalesh-anakkur.purayil@broadcom.com \
--cc=kotaranov@microsoft.com \
--cc=krzysztof.czurylo@intel.com \
--cc=leon@kernel.org \
--cc=leonro@mellanox.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=mkalderon@marvell.com \
--cc=mrgolin@amazon.com \
--cc=neescoba@cisco.com \
--cc=parav.pandit@emulex.com \
--cc=patches@lists.linux.dev \
--cc=roland@purestorage.com \
--cc=rolandd@cisco.com \
--cc=satishkh@cisco.com \
--cc=selvin.xavier@broadcom.com \
--cc=sharmaajay@microsoft.com \
--cc=sleybo@amazon.com \
--cc=stable@vger.kernel.org \
--cc=tangchengchang@huawei.com \
--cc=tatyana.e.nikolova@intel.com \
--cc=vishnu.dasa@broadcom.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox