* [PATCH] RDMA/hns: fix dead empty check on head->root in setup_root_hem()
@ 2026-05-21 13:20 Maoyi Xie
2026-05-25 15:51 ` Jason Gunthorpe
2026-05-26 5:46 ` [PATCH v2] RDMA/hns: drop dead empty check " Maoyi Xie
0 siblings, 2 replies; 3+ messages in thread
From: Maoyi Xie @ 2026-05-21 13:20 UTC (permalink / raw)
To: Chengchang Tang, Junxian Huang
Cc: Jason Gunthorpe, Leon Romanovsky, linux-rdma, linux-kernel
setup_root_hem() reads head->root with list_first_entry() and then
tests the returned pointer against NULL. list_first_entry() never
returns NULL. On an empty list it returns container_of(&head->root,
struct hns_roce_hem_item, list), which equals &head->root because
list is the first member. The -ENOMEM early return is dead code.
If head->root is ever empty here, the aliased root_hem points at
&head->root. root_hem->addr and root_hem->dma_addr then read past
the end of struct hns_roce_hem_head into adjacent memory. The
garbage value is handed to the hardware as a DMA base address.
Use list_first_entry_or_null() so the empty case returns NULL and the
-ENOMEM early return runs.
The same shape has been cleaned up elsewhere, for example in
commit fbb8bc408027 ("net: qed: Remove redundant NULL checks after list_first_entry()"),
commit c708d3fad421 ("crypto: atmel - use list_first_entry_or_null to simplify find_dev"),
and commit 10379171f346 ("ksmbd: use list_first_entry_or_null for opinfo_get_list()").
This hns site was missed by those cleanups.
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index e7c9e30ad2d8..12ac9ba6b312 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -1267,8 +1267,8 @@ setup_root_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem_list *hem_list,
int i, total;
int ret;
- root_hem = list_first_entry(&head->root,
- struct hns_roce_hem_item, list);
+ root_hem = list_first_entry_or_null(&head->root,
+ struct hns_roce_hem_item, list);
if (!root_hem)
return -ENOMEM;
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] RDMA/hns: fix dead empty check on head->root in setup_root_hem()
2026-05-21 13:20 [PATCH] RDMA/hns: fix dead empty check on head->root in setup_root_hem() Maoyi Xie
@ 2026-05-25 15:51 ` Jason Gunthorpe
2026-05-26 5:46 ` [PATCH v2] RDMA/hns: drop dead empty check " Maoyi Xie
1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2026-05-25 15:51 UTC (permalink / raw)
To: Maoyi Xie
Cc: Chengchang Tang, Junxian Huang, Leon Romanovsky, linux-rdma,
linux-kernel
On Thu, May 21, 2026 at 09:20:45PM +0800, Maoyi Xie wrote:
> --- a/drivers/infiniband/hw/hns/hns_roce_hem.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
> @@ -1267,8 +1267,8 @@ setup_root_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem_list *hem_list,
> int i, total;
> int ret;
>
> - root_hem = list_first_entry(&head->root,
> - struct hns_roce_hem_item, list);
> + root_hem = list_first_entry_or_null(&head->root,
> + struct hns_roce_hem_item, list);
> if (!root_hem)
> return -ENOMEM;
Delete the if, the list can never be empty. The driver immediately
adds an entry after initializing it and never removes entries
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] RDMA/hns: drop dead empty check in setup_root_hem()
2026-05-21 13:20 [PATCH] RDMA/hns: fix dead empty check on head->root in setup_root_hem() Maoyi Xie
2026-05-25 15:51 ` Jason Gunthorpe
@ 2026-05-26 5:46 ` Maoyi Xie
1 sibling, 0 replies; 3+ messages in thread
From: Maoyi Xie @ 2026-05-26 5:46 UTC (permalink / raw)
To: Chengchang Tang, Junxian Huang
Cc: Jason Gunthorpe, Leon Romanovsky, linux-rdma, linux-kernel
setup_root_hem() reads the first entry of head->root and checks
the returned pointer against NULL:
root_hem = list_first_entry(&head->root,
struct hns_roce_hem_item, list);
if (!root_hem)
return -ENOMEM;
list_first_entry() never returns NULL. On an empty list it returns
container_of(head, ..., list), a non-NULL garbage pointer that
aliases the head. So the check is dead.
The only caller adds an entry to head.root right before invoking
setup_root_hem():
list_add(&root_hem->list, &head.root);
ret = setup_root_hem(..., &head, ...);
So head.root is guaranteed non-empty on entry. Drop the check.
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
v2: drop the check entirely per Jason's review, instead of
converting to list_first_entry_or_null() as in v1.
v1: https://lore.kernel.org/r/20260521132045.3430906-1-maoyixie.tju@gmail.com
drivers/infiniband/hw/hns/hns_roce_hem.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index e7c9e30ad2d8..61cd9f96423e 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -1269,8 +1269,6 @@ setup_root_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem_list *hem_list,
root_hem = list_first_entry(&head->root,
struct hns_roce_hem_item, list);
- if (!root_hem)
- return -ENOMEM;
total = 0;
for (i = 0; i < region_cnt && total <= max_ba_num; i++) {
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-26 5:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-21 13:20 [PATCH] RDMA/hns: fix dead empty check on head->root in setup_root_hem() Maoyi Xie
2026-05-25 15:51 ` Jason Gunthorpe
2026-05-26 5:46 ` [PATCH v2] RDMA/hns: drop dead empty check " Maoyi Xie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox