From: Jason Gunthorpe <jgg@nvidia.com>
To: Junxian Huang <huangjunxian6@hisilicon.com>
Cc: Abhijit Gangurde <abhijit.gangurde@amd.com>,
Allen Hubbe <allen.hubbe@amd.com>,
Broadcom internal kernel review list
<bcm-kernel-feedback-list@broadcom.com>,
Bernard Metzler <bernard.metzler@linux.dev>,
Potnuri Bharat Teja <bharat@chelsio.com>,
Bryan Tan <bryan-bt.tan@broadcom.com>,
Cheng Xu <chengyou@linux.alibaba.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Gal Pressman <gal.pressman@linux.dev>,
Kai Shen <kaishen@linux.alibaba.com>,
Kalesh AP <kalesh-anakkur.purayil@broadcom.com>,
Konstantin Taranov <kotaranov@microsoft.com>,
Krzysztof Czurylo <krzysztof.czurylo@intel.com>,
Leon Romanovsky <leon@kernel.org>,
linux-hyperv@vger.kernel.org, linux-rdma@vger.kernel.org,
Long Li <longli@microsoft.com>,
Michal Kalderon <mkalderon@marvell.com>,
Michael Margolin <mrgolin@amazon.com>,
Nelson Escobar <neescoba@cisco.com>,
Satish Kharat <satishkh@cisco.com>,
Selvin Xavier <selvin.xavier@broadcom.com>,
Yossi Leybovich <sleybo@amazon.com>,
Chengchang Tang <tangchengchang@huawei.com>,
Tatyana Nikolova <tatyana.e.nikolova@intel.com>,
Vishnu Dasa <vishnu.dasa@broadcom.com>,
Yishai Hadas <yishaih@nvidia.com>,
Adit Ranadive <aditr@vmware.com>,
Aditya Sarwade <asarwade@vmware.com>,
Bryan Tan <bryantan@vmware.com>, Dexuan Cui <decui@microsoft.com>,
Doug Ledford <dledford@redhat.com>,
George Zhang <georgezhang@vmware.com>,
Jorgen Hansen <jhansen@vmware.com>,
Leon Romanovsky <leonro@mellanox.com>,
Parav Pandit <parav.pandit@emulex.com>,
patches@lists.linux.dev, Roland Dreier <roland@purestorage.com>,
Roland Dreier <rolandd@cisco.com>,
Ajay Sharma <sharmaajay@microsoft.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v2 06/16] RDMA/hns: Fix xarray race in hns_roce_create_srq()
Date: Tue, 7 Apr 2026 11:03:26 -0300 [thread overview]
Message-ID: <20260407140326.GB3357077@nvidia.com> (raw)
In-Reply-To: <f1fb94fe-c86b-7866-d606-088343a56fab@hisilicon.com>
On Tue, Apr 07, 2026 at 09:39:52PM +0800, Junxian Huang wrote:
>
>
> On 2026/4/7 1:40, Jason Gunthorpe wrote:
> > Sashiko points out that once the srq memory is stored into the xarray by
> > alloc_srqc() it can immediately be looked up by:
> >
> > xa_lock(&srq_table->xa);
> > srq = xa_load(&srq_table->xa, srqn & (hr_dev->caps.num_srqs - 1));
> > if (srq)
> > refcount_inc(&srq->refcount);
> > xa_unlock(&srq_table->xa);
> >
> > Which will fail refcount debug because the refcount is 0 and then crash:
> >
> > srq->event(srq, event_type);
> >
> > Because event is NULL.
>
> I don't think this will actually happen because HW won't report an SRQ
> event before the SRQ is fully ready and actually used.
Probably, but also maybe there is some crazy race where EQ event can
be generated and the SRQ cycled before it is collected..
There is also a second bug here that Shashiko noticed on this patch
that the order is wrong, the goto unwind in create will call
free_srqc() but it hasn't yet setup the completion. I will fix that in
a v3..
> From the perspective of coding, I'm fine with this change, but since
> there is similar logic for QP event, could you also apply this change
> to QP?
Sure
Jason
next prev parent reply other threads:[~2026-04-07 14:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 17:40 [PATCH v2 00/16] Convert all drivers to the new udata response flow Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 01/16] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 02/16] RDMA/ocrdma: Clarify the mm_head searching Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 03/16] RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 04/16] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 05/16] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 06/16] RDMA/hns: Fix xarray race in hns_roce_create_srq() Jason Gunthorpe
2026-04-07 13:39 ` Junxian Huang
2026-04-07 14:03 ` Jason Gunthorpe [this message]
2026-04-06 17:40 ` [PATCH v2 07/16] RDMA: Use ib_is_udata_in_empty() for places calling ib_is_udata_cleared() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 08/16] IB/rdmavt: Don't abuse udata and ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 09/16] RDMA: Convert drivers using min to ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 10/16] RDMA: Convert drivers using sizeof() " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 11/16] RDMA/cxgb4: Convert " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 12/16] RDMA/qedr: Replace qedr_ib_copy_to_udata() with ib_respond_udata() Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 13/16] RDMA/mlx: Replace response_len " Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 14/16] RDMA: Use proper driver data response structs instead of open coding Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 15/16] RDMA: Add missed = {} initialization to uresp structs Jason Gunthorpe
2026-04-06 17:40 ` [PATCH v2 16/16] RDMA: Replace memset with = {} pattern for ib_respond_udata() Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407140326.GB3357077@nvidia.com \
--to=jgg@nvidia.com \
--cc=abhijit.gangurde@amd.com \
--cc=aditr@vmware.com \
--cc=allen.hubbe@amd.com \
--cc=asarwade@vmware.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=bernard.metzler@linux.dev \
--cc=bharat@chelsio.com \
--cc=bryan-bt.tan@broadcom.com \
--cc=bryantan@vmware.com \
--cc=chengyou@linux.alibaba.com \
--cc=decui@microsoft.com \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=dledford@redhat.com \
--cc=gal.pressman@linux.dev \
--cc=georgezhang@vmware.com \
--cc=huangjunxian6@hisilicon.com \
--cc=jhansen@vmware.com \
--cc=kaishen@linux.alibaba.com \
--cc=kalesh-anakkur.purayil@broadcom.com \
--cc=kotaranov@microsoft.com \
--cc=krzysztof.czurylo@intel.com \
--cc=leon@kernel.org \
--cc=leonro@mellanox.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=mkalderon@marvell.com \
--cc=mrgolin@amazon.com \
--cc=neescoba@cisco.com \
--cc=parav.pandit@emulex.com \
--cc=patches@lists.linux.dev \
--cc=roland@purestorage.com \
--cc=rolandd@cisco.com \
--cc=satishkh@cisco.com \
--cc=selvin.xavier@broadcom.com \
--cc=sharmaajay@microsoft.com \
--cc=sleybo@amazon.com \
--cc=stable@vger.kernel.org \
--cc=tangchengchang@huawei.com \
--cc=tatyana.e.nikolova@intel.com \
--cc=vishnu.dasa@broadcom.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox