On Mon, Feb 16, 2026 at 09:29:29AM +0530, Selvin Xavier wrote: > On Fri, Feb 13, 2026 at 4:31 PM Leon Romanovsky <[email protected]> wrote: > > > > From: Leon Romanovsky <[email protected]> > > > > There is no need to defer the CQ resize operation, as it is intended to > > be completed in one pass. The current bnxt_re_resize_cq() implementation > > does not handle concurrent CQ resize requests, and this will be addressed > > in the following patches. > bnxt HW requires that the previous CQ memory be available with the HW until > HW generates a cut off cqe on the CQ that is being destroyed. This is > the reason for > polling the completions in the user library after returning the > resize_cq call. Once the polling > thread sees the expected CQE, it will invoke the driver to free CQ > memory.
This flow is problematic. It requires the kernel to trust a user‑space application, which is not acceptable. There is no guarantee that the rdma-core implementation is correct or will invoke the interface properly. Users can bypass rdma-core entirely and issue ioctls directly (syzkaller, custom rdma-core variants, etc.), leading to umem leaks, races that overwrite kernel memory, and access to fields that are now being modified. All of this can occur silently and without any protections. > So ib_umem_release should wait. This patch doesn't guarantee that. The issue is that it was never guaranteed in the first place. It only appeared to work under very controlled conditions. > Do you think if there is a better way to handle this requirement? You should wait for BNXT_RE_WC_TYPE_COFF in the kernel before returning from resize_cq. Thanks > > > > > Signed-off-by: Leon Romanovsky <[email protected]> > > --- > > drivers/infiniband/hw/bnxt_re/ib_verbs.c | 33 > > +++++++++----------------------- > > 1 file changed, 9 insertions(+), 24 deletions(-) > > > > diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > index d652018c19b3..2aecfbbb7eaf 100644 > > --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c > > @@ -3309,20 +3309,6 @@ int bnxt_re_create_cq(struct ib_cq *ibcq, const > > struct ib_cq_init_attr *attr, > > return rc; > > } > > > > -static void bnxt_re_resize_cq_complete(struct bnxt_re_cq *cq) > > -{ > > - struct bnxt_re_dev *rdev = cq->rdev; > > - > > - bnxt_qplib_resize_cq_complete(&rdev->qplib_res, &cq->qplib_cq); > > - > > - cq->qplib_cq.max_wqe = cq->resize_cqe; > > - if (cq->resize_umem) { > > - ib_umem_release(cq->ib_cq.umem); > > - cq->ib_cq.umem = cq->resize_umem; > > - cq->resize_umem = NULL; > > - cq->resize_cqe = 0; > > - } > > -} > > > > int bnxt_re_resize_cq(struct ib_cq *ibcq, unsigned int cqe, > > struct ib_udata *udata) > > @@ -3387,7 +3373,15 @@ int bnxt_re_resize_cq(struct ib_cq *ibcq, unsigned > > int cqe, > > goto fail; > > } > > > > - cq->ib_cq.cqe = cq->resize_cqe; > > + bnxt_qplib_resize_cq_complete(&rdev->qplib_res, &cq->qplib_cq); > > + > > + cq->qplib_cq.max_wqe = cq->resize_cqe; > > + ib_umem_release(cq->ib_cq.umem); > > + cq->ib_cq.umem = cq->resize_umem; > > + cq->resize_umem = NULL; > > + cq->resize_cqe = 0; > > + > > + cq->ib_cq.cqe = entries; > > atomic_inc(&rdev->stats.res.resize_count); > > > > return 0; > > @@ -3907,15 +3901,6 @@ int bnxt_re_poll_cq(struct ib_cq *ib_cq, int > > num_entries, struct ib_wc *wc) > > struct bnxt_re_sqp_entries *sqp_entry = NULL; > > unsigned long flags; > > > > - /* User CQ; the only processing we do is to > > - * complete any pending CQ resize operation. > > - */ > > - if (cq->ib_cq.umem) { > > - if (cq->resize_umem) > > - bnxt_re_resize_cq_complete(cq); > > - return 0; > > - } > > - > > spin_lock_irqsave(&cq->cq_lock, flags); > > budget = min_t(u32, num_entries, cq->max_cql); > > num_entries = budget; > > > > -- > > 2.52.0 > >
