From: Edward Srouji <edwards@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>, Jason Gunthorpe <jgg@ziepe.ca>,
"Chiara Meiohas" <cmeiohas@nvidia.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Gal Pressman <galpress@amazon.com>,
Mark Bloch <markb@mellanox.com>,
Steve Wise <larrystevenwise@gmail.com>,
Mark Zhang <markzhang@nvidia.com>,
"Neta Ostrovsky" <netao@nvidia.com>,
Patrisious Haddad <phaddad@nvidia.com>,
"Doug Ledford" <dledford@redhat.com>,
Matan Barak <matanb@mellanox.com>, <majd@mellanox.com>,
Maor Gottlieb <maorg@mellanox.com>
Cc: <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
"Edward Srouji" <edwards@nvidia.com>
Subject: [PATCH rdma-next v2 03/11] RDMA/core: Preserve restrack resource ID on reinsertion
Date: Mon, 6 Apr 2026 12:11:14 +0300 [thread overview]
Message-ID: <20260406-security-bug-fixes-v2-3-ee8815fa81b7@nvidia.com> (raw)
In-Reply-To: <20260406-security-bug-fixes-v2-0-ee8815fa81b7@nvidia.com>
From: Patrisious Haddad <phaddad@nvidia.com>
rdma_restrack_add() currently always allocates a new ID via
xa_alloc_cyclic(), regardless of whether res->id is already set.
This change makes sure that the object’s ID remains the same across
removal and reinsertion to restrack.
This is a preparatory change for subsequent patches in the series
which will do rdma restrack removal and reinsertion.
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
---
drivers/infiniband/core/restrack.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c
index ac3688952cabbff1ebb899bacb78421f2515231b..485e7357c90a5ff9660feac38a0ec01c0deb0000 100644
--- a/drivers/infiniband/core/restrack.c
+++ b/drivers/infiniband/core/restrack.c
@@ -32,7 +32,7 @@ int rdma_restrack_init(struct ib_device *dev)
rt = dev->res;
for (i = 0; i < RDMA_RESTRACK_MAX; i++)
- xa_init_flags(&rt[i].xa, XA_FLAGS_ALLOC);
+ xa_init_flags(&rt[i].xa, XA_FLAGS_ALLOC1);
return 0;
}
@@ -71,6 +71,8 @@ int rdma_restrack_count(struct ib_device *dev, enum rdma_restrack_type type,
xa_lock(&rt->xa);
xas_for_each(&xas, e, U32_MAX) {
+ if (xa_is_zero(e))
+ continue;
if (xa_get_mark(&rt->xa, e->id, RESTRACK_DD) && !show_details)
continue;
cnt++;
@@ -216,14 +218,24 @@ void rdma_restrack_add(struct rdma_restrack_entry *res)
ret = xa_insert(&rt->xa, counter->id, res, GFP_KERNEL);
res->id = ret ? 0 : counter->id;
} else {
- ret = xa_alloc_cyclic(&rt->xa, &res->id, res, xa_limit_32b,
- &rt->next_id, GFP_KERNEL);
- ret = (ret < 0) ? ret : 0;
+ /* If res->id is valid, try to reinsert at res->id index in
+ * order to maintain the same id in case of a reinsertion.
+ */
+ if (res->id) {
+ ret = xa_insert(&rt->xa, res->id, res, GFP_KERNEL);
+ } else {
+ ret = xa_alloc_cyclic(&rt->xa, &res->id, res,
+ xa_limit_32b, &rt->next_id,
+ GFP_KERNEL);
+ ret = (ret < 0) ? ret : 0;
+ }
}
out:
if (!ret)
res->valid = true;
+ else
+ WARN_ONCE(true, "Failed to insert restrack entry at res->id %u", res->id);
}
EXPORT_SYMBOL(rdma_restrack_add);
--
2.49.0
next prev parent reply other threads:[~2026-04-06 9:11 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 9:11 [PATCH rdma-next v2 00/11] RDMA: Stability and race condition fixes Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 01/11] RDMA/mlx5: Remove DCT restrack tracking Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 02/11] RDMA/mlx5: Remove raw RSS QP " Edward Srouji
2026-04-06 9:11 ` Edward Srouji [this message]
2026-04-06 22:23 ` [PATCH rdma-next v2 03/11] RDMA/core: Preserve restrack resource ID on reinsertion Jason Gunthorpe
2026-04-07 9:18 ` Patrisious Haddad
2026-04-07 14:29 ` Jason Gunthorpe
2026-04-06 9:11 ` [PATCH rdma-next v2 04/11] RDMA/core: Fix use after free in ib_query_qp() Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 05/11] RDMA/core: Fix potential use after free in ib_destroy_cq_user() Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 06/11] RDMA/core: Fix potential use after free in ib_destroy_srq_user() Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 07/11] RDMA/mlx5: Fix UAF in SRQ destroy due to race with create Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 08/11] RDMA/mlx5: Fix UAF in DCT " Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 09/11] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg() Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 10/11] RDMA/core: Fix rereg_mr use-after-free race Edward Srouji
2026-04-06 9:11 ` [PATCH rdma-next v2 11/11] RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation Edward Srouji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260406-security-bug-fixes-v2-3-ee8815fa81b7@nvidia.com \
--to=edwards@nvidia.com \
--cc=cmeiohas@nvidia.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=dledford@redhat.com \
--cc=galpress@amazon.com \
--cc=jgg@ziepe.ca \
--cc=larrystevenwise@gmail.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=majd@mellanox.com \
--cc=maorg@mellanox.com \
--cc=markb@mellanox.com \
--cc=markzhang@nvidia.com \
--cc=matanb@mellanox.com \
--cc=netao@nvidia.com \
--cc=phaddad@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox