提交 7a26c474 编写于 作者: B Bryan O'Sullivan 提交者: Roland Dreier

IB/ipath: Fix races with ib_resize_cq()

The resize CQ function changes the memory used to store the queue.
Other routines need to honor the lock before accessing the pointer
to the queue and verify that the head and tail are in range.
Signed-off-by: NBryan O'Sullivan <bryan.osullivan@qlogic.com>
Signed-off-by: NRoland Dreier <rolandd@cisco.com>
上级 bf3258ec
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
*/ */
void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited) void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited)
{ {
struct ipath_cq_wc *wc = cq->queue; struct ipath_cq_wc *wc;
unsigned long flags; unsigned long flags;
u32 head; u32 head;
u32 next; u32 next;
...@@ -57,6 +57,7 @@ void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited) ...@@ -57,6 +57,7 @@ void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited)
* Note that the head pointer might be writable by user processes. * Note that the head pointer might be writable by user processes.
* Take care to verify it is a sane value. * Take care to verify it is a sane value.
*/ */
wc = cq->queue;
head = wc->head; head = wc->head;
if (head >= (unsigned) cq->ibcq.cqe) { if (head >= (unsigned) cq->ibcq.cqe) {
head = cq->ibcq.cqe; head = cq->ibcq.cqe;
...@@ -109,21 +110,27 @@ void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited) ...@@ -109,21 +110,27 @@ void ipath_cq_enter(struct ipath_cq *cq, struct ib_wc *entry, int solicited)
int ipath_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *entry) int ipath_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *entry)
{ {
struct ipath_cq *cq = to_icq(ibcq); struct ipath_cq *cq = to_icq(ibcq);
struct ipath_cq_wc *wc = cq->queue; struct ipath_cq_wc *wc;
unsigned long flags; unsigned long flags;
int npolled; int npolled;
u32 tail;
spin_lock_irqsave(&cq->lock, flags); spin_lock_irqsave(&cq->lock, flags);
wc = cq->queue;
tail = wc->tail;
if (tail > (u32) cq->ibcq.cqe)
tail = (u32) cq->ibcq.cqe;
for (npolled = 0; npolled < num_entries; ++npolled, ++entry) { for (npolled = 0; npolled < num_entries; ++npolled, ++entry) {
if (wc->tail == wc->head) if (tail == wc->head)
break; break;
*entry = wc->queue[wc->tail]; *entry = wc->queue[tail];
if (wc->tail >= cq->ibcq.cqe) if (tail >= cq->ibcq.cqe)
wc->tail = 0; tail = 0;
else else
wc->tail++; tail++;
} }
wc->tail = tail;
spin_unlock_irqrestore(&cq->lock, flags); spin_unlock_irqrestore(&cq->lock, flags);
...@@ -322,10 +329,16 @@ int ipath_req_notify_cq(struct ib_cq *ibcq, enum ib_cq_notify notify) ...@@ -322,10 +329,16 @@ int ipath_req_notify_cq(struct ib_cq *ibcq, enum ib_cq_notify notify)
return 0; return 0;
} }
/**
* ipath_resize_cq - change the size of the CQ
* @ibcq: the completion queue
*
* Returns 0 for success.
*/
int ipath_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata) int ipath_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata)
{ {
struct ipath_cq *cq = to_icq(ibcq); struct ipath_cq *cq = to_icq(ibcq);
struct ipath_cq_wc *old_wc = cq->queue; struct ipath_cq_wc *old_wc;
struct ipath_cq_wc *wc; struct ipath_cq_wc *wc;
u32 head, tail, n; u32 head, tail, n;
int ret; int ret;
...@@ -361,6 +374,7 @@ int ipath_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata) ...@@ -361,6 +374,7 @@ int ipath_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata)
* Make sure head and tail are sane since they * Make sure head and tail are sane since they
* might be user writable. * might be user writable.
*/ */
old_wc = cq->queue;
head = old_wc->head; head = old_wc->head;
if (head > (u32) cq->ibcq.cqe) if (head > (u32) cq->ibcq.cqe)
head = (u32) cq->ibcq.cqe; head = (u32) cq->ibcq.cqe;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册