mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 00:51:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

soc: fsl: qbman: fix race condition in qman_destroy_fq

Browse Source 
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.

Indeed, we can have:
         Thread A                             Thread B
    qman_destroy_fq()                    qman_create_fq()
      qman_release_fqid()
        qman_shutdown_fq()
        gen_pool_free()
           -- At this point, the fqid is available again --
                                           qman_alloc_fqid()
           -- so, we can get the just-freed fqid in thread B --
                                           fq->fqid = fqid;
                                           fq->idx = fqid * 2;
                                           WARN_ON(fq_table[fq->idx]);
                                           fq_table[fq->idx] = fq;
     fq_table[fq->idx] = NULL;

And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.

To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb().

Fixes: c535e923bb ("soc/fsl: Introduce DPAA 1.x QMan device driver")
Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
This commit is contained in:
Richard Genoud
2025-12-23 08:25:49 +01:00
committed by Christophe Leroy (CS GROUP)
parent 6de23f81a5
commit 014077044e
1 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
drivers/soc/fsl/qbman/qman.c
View File

@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
void qman_destroy_fq(struct qman_fq *fq)
{
int leaked;
/*
* We don't need to lock the FQ as it is a pre-condition that the FQ be
* quiesced. Instead, run some checks.
@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
switch (fq->state) {
case qman_fq_state_parked:
case qman_fq_state_oos:
if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
qman_release_fqid(fq->fqid);
/*
* There's a race condition here on releasing the fqid,
* setting the fq_table to NULL, and freeing the fqid.
* To prevent it, this order should be respected:
*/
if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
leaked = qman_shutdown_fq(fq->fqid);
if (leaked)
pr_debug("FQID %d leaked\n", fq->fqid);
}
DPAA_ASSERT(fq_table[fq->idx]);
fq_table[fq->idx] = NULL;
if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
/*
* fq_table[fq->idx] should be set to null before
* freeing fq->fqid otherwise it could by allocated by
* qman_alloc_fqid() while still being !NULL
*/
smp_wmb();
gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
}
return;
default:
break;