libhns: Fix possible overflow in cq clean

[ Upstream commit 886b17c ] The ci/pi of hns roce cq allows data to be flipped. but in __hns_roce_v2_cq_clean(), this flip may lead to an wrong number of loops. This patch fixes it by extending the data type to avoid data flipping. Fixes: 6fe30a1 ("libhns: Introduce QP operations referred to hip08 RoCE device") Signed-off-by: Chengchang Tang <tangchengchang@huawei.com> Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com> Signed-off-by: Nicolas Morey <nmorey@suse.com>
linux-rdma · Jan 17, 2024 · 7ec10d2 · 7ec10d2
1 parent 7ad12ac
commit 7ec10d2
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/providers/hns/hns_roce_u_hw_v2.c b/providers/hns/hns_roce_u_hw_v2.c
@@ -1435,20 +1435,21 @@ static int hns_roce_u_v2_post_recv(struct ibv_qp *ibvqp, struct ibv_recv_wr *wr,
 static void __hns_roce_v2_cq_clean(struct hns_roce_cq *cq, uint32_t qpn,
 				   struct hns_roce_srq *srq)
 {
-	int nfreed = 0;
-	bool is_recv_cqe;
-	uint8_t owner_bit;
-	uint16_t wqe_index;
-	uint32_t prod_index;
-	struct hns_roce_v2_cqe *cqe, *dest;
 	struct hns_roce_context *ctx = to_hr_ctx(cq->verbs_cq.cq.context);
+	uint64_t cons_index = cq->cons_index;
+	uint64_t prod_index = cq->cons_index;
+	struct hns_roce_v2_cqe *cqe, *dest;
+	uint16_t wqe_index;
+	uint8_t owner_bit;
+	bool is_recv_cqe;
+	int nfreed = 0;
 
-	for (prod_index = cq->cons_index; get_sw_cqe_v2(cq, prod_index);
-	     ++prod_index)
-		if (prod_index > cq->cons_index + cq->verbs_cq.cq.cqe)
+	for (; get_sw_cqe_v2(cq, prod_index); ++prod_index)
+		if (prod_index > cons_index + cq->verbs_cq.cq.cqe)
 			break;
 
-	while ((int) --prod_index - (int) cq->cons_index >= 0) {
+	while (prod_index - cons_index > 0) {
+		prod_index--;
 		cqe = get_cqe_v2(cq, prod_index & cq->verbs_cq.cq.cqe);
 		if (hr_reg_read(cqe, CQE_LCL_QPN) == qpn) {
 			is_recv_cqe = hr_reg_read(cqe, CQE_S_R);