RDMA/hns: Fix simultaneous reset and resource deregistration

	if (ret)

		dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret,

			hr_cq->cqn);

	if (ret == -EBUSY)

		hr_cq->delayed_destroy_flag = true;

	xa_erase(&cq_table->array, hr_cq->cqn);

		complete(&hr_cq->free);

	wait_for_completion(&hr_cq->free);

	/* this resource will be freed when the driver is uninstalled, so

	 * no memory leak will occur.

	 */

	if (!hr_cq->delayed_destroy_flag)

		hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn);

}

	struct hns_roce_buf_attr buf_attr = {};

	int ret;

	hr_cq->mtr_node = kvmalloc(sizeof(*hr_cq->mtr_node), GFP_KERNEL);

	if (!hr_cq->mtr_node)

		return -ENOMEM;

	buf_attr.page_shift = hr_dev->caps.cqe_buf_pg_sz + PAGE_SHIFT;

	buf_attr.region[0].size = hr_cq->cq_depth * hr_cq->cqe_size;

	buf_attr.region[0].hopnum = hr_dev->caps.cqe_hop_num;

	ret = hns_roce_mtr_create(hr_dev, &hr_cq->mtr, &buf_attr,

				  hr_dev->caps.cqe_ba_pg_sz + PAGE_SHIFT,

				  udata, addr);

	if (ret)

	if (ret) {

		ibdev_err(ibdev, "Failed to alloc CQ mtr, ret = %d\n", ret);

		kvfree(hr_cq->mtr_node);

	}

	return ret;

}

static void free_cq_buf(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq)

{

	if (hr_cq->delayed_destroy_flag) {

		hns_roce_add_unfree_mtr(hr_cq->mtr_node, hr_dev, &hr_cq->mtr);

	} else {

		hns_roce_mtr_destroy(hr_dev, &hr_cq->mtr);

		kvfree(hr_cq->mtr_node);

	}

}

static int alloc_cq_db(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq,

		uctx = rdma_udata_to_drv_context(udata,

						 struct hns_roce_ucontext,

						 ibucontext);

		hns_roce_db_unmap_user(uctx, &hr_cq->db);

		hns_roce_db_unmap_user(uctx, &hr_cq->db,

				       hr_cq->delayed_destroy_flag);

	} else {

		hns_roce_free_db(hr_dev, &hr_cq->db);

	}

	page = kmalloc(sizeof(*page), GFP_KERNEL);

	if (!page) {

		ret = -ENOMEM;

		goto out;

		goto err_out;

	}

	refcount_set(&page->refcount, 1);

				 PAGE_SIZE, 0);

	if (IS_ERR(page->umem)) {

		ret = PTR_ERR(page->umem);

		kfree(page);

		goto out;

		goto err_page;

	}

	page->umem_node = kvmalloc(sizeof(*page->umem_node), GFP_KERNEL);

	if (!page->umem_node) {

		ret = -ENOMEM;

		goto err_umem;

	}

	list_add(&page->list, &context->page_list);

	db->virt_addr = sg_virt(page->umem->sg_head.sgl) + offset;

	db->u.user_page = page;

	refcount_inc(&page->refcount);

	mutex_unlock(&context->page_mutex);

	return 0;

out:

err_umem:

	ib_umem_release(page->umem);

err_page:

	kvfree(page);

err_out:

	mutex_unlock(&context->page_mutex);

	return ret;

}

void hns_roce_db_unmap_user(struct hns_roce_ucontext *context,

			    struct hns_roce_db *db)

			    struct hns_roce_db *db,

			    bool delayed_unmap_flag)

{

	struct hns_roce_dev *hr_dev = to_hr_dev(context->ibucontext.device);

	mutex_lock(&context->page_mutex);

	refcount_dec(&db->u.user_page->refcount);

	if (refcount_dec_if_one(&db->u.user_page->refcount)) {

		list_del(&db->u.user_page->list);

		if (delayed_unmap_flag) {

			hns_roce_add_unfree_umem(db->u.user_page, hr_dev);

		} else {

			ib_umem_release(db->u.user_page->umem);

			kvfree(db->u.user_page->umem_node);

		}

		kfree(db->u.user_page);

	}

	struct hns_roce_mtr	pbl_mtr;

	u32			npages;

	dma_addr_t		*page_list;

	bool			delayed_destroy_flag;

	struct hns_roce_mtr_node *mtr_node;

};

struct hns_roce_mr_table {

	dma_addr_t		db_dma;

};

struct hns_roce_umem_node {

	struct ib_umem *umem;

	struct list_head list;

};

struct hns_roce_user_db_page {

	struct list_head	list;

	struct ib_umem		*umem;

	unsigned long		user_virt;

	refcount_t		refcount;

	struct hns_roce_umem_node *umem_node;

};

struct hns_roce_db {

	int				is_armed; /* cq is armed */

	struct list_head		node; /* all armed cqs are on a list */

	u8				poe_channel;

	bool				delayed_destroy_flag;

	struct hns_roce_notify_conf	write_notify;

	struct hns_roce_mtr_node *mtr_node;

};

struct hns_roce_idx_que {

	unsigned long			*bitmap;

	u32				head;

	u32				tail;

	struct hns_roce_mtr_node *mtr_node;

};

struct hns_roce_srq {

	void (*event)(struct hns_roce_srq *srq, enum hns_roce_event event);

	struct hns_roce_db	rdb;

	u32			cap_flags;

	bool			delayed_destroy_flag;

	struct hns_roce_mtr_node *mtr_node;

};

struct hns_roce_uar_table {

	u32			config;

	u8			tc_mode;

	u8			priority;

	bool			delayed_destroy_flag;

	struct hns_roce_mtr_node *mtr_node;

};

struct hns_roce_ib_iboe {

	struct hns_roce_scc_param *scc_param;

};

struct hns_roce_mtr_node {

	struct hns_roce_mtr mtr;

	struct list_head list;

};

struct hns_roce_dev {

	struct ib_device	ib_dev;

	struct pci_dev		*pci_dev;

	struct rdma_notify_mem *notify_tbl;

	size_t notify_num;

	struct list_head mtr_unfree_list; /* list of unfree mtr on this dev */

	spinlock_t mtr_unfree_list_lock; /* protect mtr_unfree_list */

	struct list_head umem_unfree_list; /* list of unfree umem on this dev */

	spinlock_t umem_unfree_list_lock; /* protect umem_unfree_list */

};

static inline struct hns_roce_dev *to_hr_dev(struct ib_device *ib_dev)

int hns_roce_db_map_user(struct hns_roce_ucontext *context, unsigned long virt,

			 struct hns_roce_db *db);

void hns_roce_db_unmap_user(struct hns_roce_ucontext *context,

			    struct hns_roce_db *db);

			    struct hns_roce_db *db,

			    bool delayed_unmap_flag);

int hns_roce_alloc_db(struct hns_roce_dev *hr_dev, struct hns_roce_db *db,

		      int order);

void hns_roce_free_db(struct hns_roce_dev *hr_dev, struct hns_roce_db *db);

int hns_roce_fill_res_qp_entry_raw(struct sk_buff *msg, struct ib_qp *ib_qp);

int hns_roce_fill_res_mr_entry(struct sk_buff *msg, struct ib_mr *ib_mr);

int hns_roce_fill_res_mr_entry_raw(struct sk_buff *msg, struct ib_mr *ib_mr);

void hns_roce_add_unfree_umem(struct hns_roce_user_db_page *user_page,

			      struct hns_roce_dev *hr_dev);

void hns_roce_free_unfree_umem(struct hns_roce_dev *hr_dev);

void hns_roce_add_unfree_mtr(struct hns_roce_mtr_node *pos,

			     struct hns_roce_dev *hr_dev,

			     struct hns_roce_mtr *mtr);

void hns_roce_free_unfree_mtr(struct hns_roce_dev *hr_dev);

struct hns_user_mmap_entry *

hns_roce_user_mmap_entry_insert(struct ib_ucontext *ucontext, u64 address,

				size_t length,

			  "failed to destroy QP, QPN = 0x%06lx, ret = %d.\n",

			  hr_qp->qpn, ret);

	if (ret == -EBUSY)

		hr_qp->delayed_destroy_flag = true;

	hns_roce_qp_destroy(hr_dev, hr_qp, udata);

	return 0;

	INIT_LIST_HEAD(&hr_dev->uctx_list);

	spin_lock_init(&hr_dev->uctx_list_lock);

	INIT_LIST_HEAD(&hr_dev->mtr_unfree_list);

	spin_lock_init(&hr_dev->mtr_unfree_list_lock);

	INIT_LIST_HEAD(&hr_dev->umem_unfree_list);

	spin_lock_init(&hr_dev->umem_unfree_list_lock);

	if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB ||

	    hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) {

		INIT_LIST_HEAD(&hr_dev->pgdir_list);

	if (hr_dev->hw->hw_exit)

		hr_dev->hw->hw_exit(hr_dev);

	hns_roce_teardown_hca(hr_dev);

	hns_roce_free_unfree_umem(hr_dev);

	hns_roce_free_unfree_mtr(hr_dev);

	hns_roce_cleanup_hem(hr_dev);

	if (hr_dev->cmd_mod)