Re: [PATCH net-next v6 1/6] net: mana: Create separate EQs for each vPort

Sat, 02 May 2026 08:08:34 -0700 

From: 'Simon Horman' <[email protected]>

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
net: mana: Create separate EQs for each vPort

This commit modifies the mana driver to prepare for assigning vPorts to
dedicated MSI-X vectors by removing EQ sharing among vPorts. It moves the EQ
definition from the mana_context to the mana_port_context and exports EQ
lifecycle functions for use by the MANA RDMA driver.

> diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
> index 645581359cee..6f1043383e8c 100644
> --- a/drivers/infiniband/hw/mana/qp.c
> +++ b/drivers/infiniband/hw/mana/qp.c
> @@ -168,7 +168,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, 
> struct ib_pd *pd,
>               cq_spec.gdma_region = cq->queue.gdma_region;
>               cq_spec.queue_size = cq->cqe * COMP_ENTRY_SIZE;
>               cq_spec.modr_ctx_id = 0;
> -             eq = &mpc->ac->eqs[cq->comp_vector];
> +             /* EQs are created when a raw QP configures the vport.
> +              * A raw QP must be created before creating rwq_ind_tbl.
> +              */
> +             if (!mpc->eqs) {
> +                     ret = -EINVAL;
> +                     i--;
> +                     goto fail;
> +             }
> +             eq = &mpc->eqs[cq->comp_vector % mpc->num_queues];

Is it possible for the EQs to be destroyed while this RSS QP is still actively
using them?

If the EQs are created by the Ethernet interface being brought up, or by
a RAW QP configuring the vport, this RSS QP will attach to them without
incrementing pd->vport_use_count or taking any vport reference count.

If the Ethernet interface is subsequently brought down, or the RAW QP is
destroyed, mana_destroy_eq() will be called, freeing the mpc->eqs array and
destroying the underlying DMA regions while this RSS QP remains active. This
regression could allow the hardware to DMA completion events into freed
EQ memory.

Additionally, since mpc->eqs is accessed here without holding pd->vport_mutex,
could a concurrent teardown of the EQs lead to a use-after-free when reading
eq->eq->id?

>               cq_spec.attached_eq = eq->eq->id;
>  
>               ret = mana_create_wq_obj(mpc, mpc->port_handle, GDMA_RQ,

Reply via email to