IB/hfi1: Fix user SDMA racy user request claim

/* Last packet in the request */

#define TXREQ_FLAGS_REQ_LAST_PKT BIT(0)

#define SDMA_REQ_IN_USE     0

/* SDMA request flag bits */

#define SDMA_REQ_FOR_THREAD 1

#define SDMA_REQ_SEND_DONE  2

#define SDMA_REQ_HAVE_AHG   3

	if (!pq->reqs)

		goto pq_reqs_nomem;

	memsize = BITS_TO_LONGS(hfi1_sdma_comp_ring_size) * sizeof(long);

	pq->req_in_use = kzalloc(memsize, GFP_KERNEL);

	if (!pq->req_in_use)

		goto pq_reqs_no_in_use;

	INIT_LIST_HEAD(&pq->list);

	pq->dd = dd;

	pq->ctxt = uctxt->ctxt;

cq_nomem:

	kmem_cache_destroy(pq->txreq_cache);

pq_txreq_nomem:

	kfree(pq->req_in_use);

pq_reqs_no_in_use:

	kfree(pq->reqs);

pq_reqs_nomem:

	kfree(pq);

			pq->wait,

			(ACCESS_ONCE(pq->state) == SDMA_PKT_Q_INACTIVE));

		kfree(pq->reqs);

		kfree(pq->req_in_use);

		kmem_cache_destroy(pq->txreq_cache);

		kfree(pq);

		fd->pq = NULL;

		return -EINVAL;

	}

	if (cq->comps[info.comp_idx].status == QUEUED ||

	    test_bit(SDMA_REQ_IN_USE, &pq->reqs[info.comp_idx].flags)) {

		hfi1_cdbg(SDMA, "[%u:%u:%u] Entry %u is in QUEUED state",

			  dd->unit, uctxt->ctxt, fd->subctxt,

			  info.comp_idx);

		return -EBADSLT;

	}

	if (!info.fragsize) {

		hfi1_cdbg(SDMA,

			  "[%u:%u:%u:%u] Request does not specify fragsize",

			  dd->unit, uctxt->ctxt, fd->subctxt, info.comp_idx);

		return -EINVAL;

	}

	/* Try to claim the request. */

	if (test_and_set_bit(info.comp_idx, pq->req_in_use)) {

		hfi1_cdbg(SDMA, "[%u:%u:%u] Entry %u is in use",

			  dd->unit, uctxt->ctxt, fd->subctxt,

			  info.comp_idx);

		return -EBADSLT;

	}

	/*

	 * We've done all the safety checks that we can up to this point,

	 * "allocate" the request entry.

	 * All safety checks have been done and this request has been claimed.

	 */

	hfi1_cdbg(SDMA, "[%u:%u:%u] Using req/comp entry %u\n", dd->unit,

		  uctxt->ctxt, fd->subctxt, info.comp_idx);

	req = pq->reqs + info.comp_idx;

	memset(req, 0, sizeof(*req));

	/* Mark the request as IN_USE before we start filling it in. */

	set_bit(SDMA_REQ_IN_USE, &req->flags);

	req->data_iovs = req_iovcnt(info.ctrl) - 1; /* subtract header vector */

	req->pq = pq;

	req->cq = cq;

		}

	}

	kfree(req->tids);

	clear_bit(SDMA_REQ_IN_USE, &req->flags);

	clear_bit(req->info.comp_idx, req->pq->req_in_use);

}

static inline void set_comp_state(struct hfi1_user_sdma_pkt_q *pq,

	struct hfi1_devdata *dd;

	struct kmem_cache *txreq_cache;

	struct user_sdma_request *reqs;

	unsigned long *req_in_use;

	struct iowait busy;

	unsigned state;

	wait_queue_head_t wait;