tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
"Nothing particularly exciting, some small ODP regressions from the mmu
notifier rework, another bunch of syzkaller fixes, and a bug fix for a
botched syzkaller fix in the first rc pull request.

- Fix busted syzkaller fix in 'get_new_pps' - this turned out to
crash on certain HW configurations

- Bug fixes for various missed things in error unwinds

- Add a missing rcu_read_lock annotation in hfi/qib

- Fix two ODP related regressions from the recent mmu notifier
changes

- Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm

- Revert an old patch in CMA as it is now shown to not be allocating
port numbers properly"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/iwcm: Fix iwcm work deallocation
RDMA/siw: Fix failure handling during device creation
RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
RDMA/odp: Ensure the mm is still alive before creating an implicit child
RDMA/core: Fix protection fault in ib_mr_pool_destroy
IB/mlx5: Fix implicit ODP race
IB/hfi1, qib: Ensure RCU is locked when accessing list
RDMA/core: Fix pkey and port assignment in get_new_pps
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
RDMA/rw: Fix error flow during RDMA context initialization
RDMA/core: Fix use of logical OR in get_new_pps
Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"

Linus Torvalds 61a09258 c2003765

+95 -59
+1
drivers/infiniband/core/cm.c
··· 1191 1191 /* Sharing an ib_cm_id with different handlers is not 1192 1192 * supported */ 1193 1193 spin_unlock_irqrestore(&cm.lock, flags); 1194 + ib_destroy_cm_id(cm_id); 1194 1195 return ERR_PTR(-EINVAL); 1195 1196 } 1196 1197 refcount_inc(&cm_id_priv->refcount);
+11 -4
drivers/infiniband/core/cma.c
··· 3212 3212 int ret; 3213 3213 3214 3214 id_priv = container_of(id, struct rdma_id_private, id); 3215 + memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr)); 3215 3216 if (id_priv->state == RDMA_CM_IDLE) { 3216 3217 ret = cma_bind_addr(id, src_addr, dst_addr); 3217 - if (ret) 3218 + if (ret) { 3219 + memset(cma_dst_addr(id_priv), 0, 3220 + rdma_addr_size(dst_addr)); 3218 3221 return ret; 3222 + } 3219 3223 } 3220 3224 3221 - if (cma_family(id_priv) != dst_addr->sa_family) 3225 + if (cma_family(id_priv) != dst_addr->sa_family) { 3226 + memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr)); 3222 3227 return -EINVAL; 3228 + } 3223 3229 3224 - if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) 3230 + if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) { 3231 + memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr)); 3225 3232 return -EINVAL; 3233 + } 3226 3234 3227 - memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr)); 3228 3235 if (cma_any_addr(dst_addr)) { 3229 3236 ret = cma_resolve_loopback(id_priv); 3230 3237 } else {
+14
drivers/infiniband/core/core_priv.h
··· 338 338 qp->pd = pd; 339 339 qp->uobject = uobj; 340 340 qp->real_qp = qp; 341 + 342 + qp->qp_type = attr->qp_type; 343 + qp->rwq_ind_tbl = attr->rwq_ind_tbl; 344 + qp->send_cq = attr->send_cq; 345 + qp->recv_cq = attr->recv_cq; 346 + qp->srq = attr->srq; 347 + qp->rwq_ind_tbl = attr->rwq_ind_tbl; 348 + qp->event_handler = attr->event_handler; 349 + 350 + atomic_set(&qp->usecnt, 0); 351 + spin_lock_init(&qp->mr_lock); 352 + INIT_LIST_HEAD(&qp->rdma_mrs); 353 + INIT_LIST_HEAD(&qp->sig_mrs); 354 + 341 355 /* 342 356 * We don't track XRC QPs for now, because they don't have PD 343 357 * and more importantly they are created internaly by driver,
+3 -1
drivers/infiniband/core/iwcm.c
··· 159 159 { 160 160 struct list_head *e, *tmp; 161 161 162 - list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) 162 + list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) { 163 + list_del(e); 163 164 kfree(list_entry(e, struct iwcm_work, free_list)); 165 + } 164 166 } 165 167 166 168 static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count)
+2
drivers/infiniband/core/nldev.c
··· 1757 1757 if (ret) 1758 1758 goto err_msg; 1759 1759 } else { 1760 + if (!tb[RDMA_NLDEV_ATTR_RES_LQPN]) 1761 + goto err_msg; 1760 1762 qpn = nla_get_u32(tb[RDMA_NLDEV_ATTR_RES_LQPN]); 1761 1763 if (tb[RDMA_NLDEV_ATTR_STAT_COUNTER_ID]) { 1762 1764 cntn = nla_get_u32(tb[RDMA_NLDEV_ATTR_STAT_COUNTER_ID]);
+20 -11
drivers/infiniband/core/rw.c
··· 273 273 return 1; 274 274 } 275 275 276 + static void rdma_rw_unmap_sg(struct ib_device *dev, struct scatterlist *sg, 277 + u32 sg_cnt, enum dma_data_direction dir) 278 + { 279 + if (is_pci_p2pdma_page(sg_page(sg))) 280 + pci_p2pdma_unmap_sg(dev->dma_device, sg, sg_cnt, dir); 281 + else 282 + ib_dma_unmap_sg(dev, sg, sg_cnt, dir); 283 + } 284 + 285 + static int rdma_rw_map_sg(struct ib_device *dev, struct scatterlist *sg, 286 + u32 sg_cnt, enum dma_data_direction dir) 287 + { 288 + if (is_pci_p2pdma_page(sg_page(sg))) 289 + return pci_p2pdma_map_sg(dev->dma_device, sg, sg_cnt, dir); 290 + return ib_dma_map_sg(dev, sg, sg_cnt, dir); 291 + } 292 + 276 293 /** 277 294 * rdma_rw_ctx_init - initialize a RDMA READ/WRITE context 278 295 * @ctx: context to initialize ··· 312 295 struct ib_device *dev = qp->pd->device; 313 296 int ret; 314 297 315 - if (is_pci_p2pdma_page(sg_page(sg))) 316 - ret = pci_p2pdma_map_sg(dev->dma_device, sg, sg_cnt, dir); 317 - else 318 - ret = ib_dma_map_sg(dev, sg, sg_cnt, dir); 319 - 298 + ret = rdma_rw_map_sg(dev, sg, sg_cnt, dir); 320 299 if (!ret) 321 300 return -ENOMEM; 322 301 sg_cnt = ret; ··· 351 338 return ret; 352 339 353 340 out_unmap_sg: 354 - ib_dma_unmap_sg(dev, sg, sg_cnt, dir); 341 + rdma_rw_unmap_sg(dev, sg, sg_cnt, dir); 355 342 return ret; 356 343 } 357 344 EXPORT_SYMBOL(rdma_rw_ctx_init); ··· 601 588 break; 602 589 } 603 590 604 - if (is_pci_p2pdma_page(sg_page(sg))) 605 - pci_p2pdma_unmap_sg(qp->pd->device->dma_device, sg, 606 - sg_cnt, dir); 607 - else 608 - ib_dma_unmap_sg(qp->pd->device, sg, sg_cnt, dir); 591 + rdma_rw_unmap_sg(qp->pd->device, sg, sg_cnt, dir); 609 592 } 610 593 EXPORT_SYMBOL(rdma_rw_ctx_destroy); 611 594
+9 -5
drivers/infiniband/core/security.c
··· 340 340 return NULL; 341 341 342 342 if (qp_attr_mask & IB_QP_PORT) 343 - new_pps->main.port_num = 344 - (qp_pps) ? qp_pps->main.port_num : qp_attr->port_num; 343 + new_pps->main.port_num = qp_attr->port_num; 344 + else if (qp_pps) 345 + new_pps->main.port_num = qp_pps->main.port_num; 346 + 345 347 if (qp_attr_mask & IB_QP_PKEY_INDEX) 346 - new_pps->main.pkey_index = (qp_pps) ? qp_pps->main.pkey_index : 347 - qp_attr->pkey_index; 348 + new_pps->main.pkey_index = qp_attr->pkey_index; 349 + else if (qp_pps) 350 + new_pps->main.pkey_index = qp_pps->main.pkey_index; 351 + 348 352 if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT)) 349 353 new_pps->main.state = IB_PORT_PKEY_VALID; 350 354 351 - if (!(qp_attr_mask & (IB_QP_PKEY_INDEX || IB_QP_PORT)) && qp_pps) { 355 + if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) { 352 356 new_pps->main.port_num = qp_pps->main.port_num; 353 357 new_pps->main.pkey_index = qp_pps->main.pkey_index; 354 358 if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
+19 -5
drivers/infiniband/core/umem_odp.c
··· 181 181 odp_data->page_shift = PAGE_SHIFT; 182 182 odp_data->notifier.ops = ops; 183 183 184 + /* 185 + * A mmget must be held when registering a notifier, the owming_mm only 186 + * has a mm_grab at this point. 187 + */ 188 + if (!mmget_not_zero(umem->owning_mm)) { 189 + ret = -EFAULT; 190 + goto out_free; 191 + } 192 + 184 193 odp_data->tgid = get_pid(root->tgid); 185 194 ret = ib_init_umem_odp(odp_data, ops); 186 - if (ret) { 187 - put_pid(odp_data->tgid); 188 - kfree(odp_data); 189 - return ERR_PTR(ret); 190 - } 195 + if (ret) 196 + goto out_tgid; 197 + mmput(umem->owning_mm); 191 198 return odp_data; 199 + 200 + out_tgid: 201 + put_pid(odp_data->tgid); 202 + mmput(umem->owning_mm); 203 + out_free: 204 + kfree(odp_data); 205 + return ERR_PTR(ret); 192 206 } 193 207 EXPORT_SYMBOL(ib_umem_odp_alloc_child); 194 208
-9
drivers/infiniband/core/uverbs_cmd.c
··· 1445 1445 if (ret) 1446 1446 goto err_cb; 1447 1447 1448 - qp->pd = pd; 1449 - qp->send_cq = attr.send_cq; 1450 - qp->recv_cq = attr.recv_cq; 1451 - qp->srq = attr.srq; 1452 - qp->rwq_ind_tbl = ind_tbl; 1453 - qp->event_handler = attr.event_handler; 1454 - qp->qp_type = attr.qp_type; 1455 - atomic_set(&qp->usecnt, 0); 1456 1448 atomic_inc(&pd->usecnt); 1457 - qp->port = 0; 1458 1449 if (attr.send_cq) 1459 1450 atomic_inc(&attr.send_cq->usecnt); 1460 1451 if (attr.recv_cq)
-10
drivers/infiniband/core/verbs.c
··· 1185 1185 if (ret) 1186 1186 goto err; 1187 1187 1188 - qp->qp_type = qp_init_attr->qp_type; 1189 - qp->rwq_ind_tbl = qp_init_attr->rwq_ind_tbl; 1190 - 1191 - atomic_set(&qp->usecnt, 0); 1192 - qp->mrs_used = 0; 1193 - spin_lock_init(&qp->mr_lock); 1194 - INIT_LIST_HEAD(&qp->rdma_mrs); 1195 - INIT_LIST_HEAD(&qp->sig_mrs); 1196 - qp->port = 0; 1197 - 1198 1188 if (qp_init_attr->qp_type == IB_QPT_XRC_TGT) { 1199 1189 struct ib_qp *xrc_qp = 1200 1190 create_xrc_qp_user(qp, qp_init_attr, udata);
+3 -1
drivers/infiniband/hw/hfi1/verbs.c
··· 515 515 opa_get_lid(packet->dlid, 9B)); 516 516 if (!mcast) 517 517 goto drop; 518 + rcu_read_lock(); 518 519 list_for_each_entry_rcu(p, &mcast->qp_list, list) { 519 520 packet->qp = p->qp; 520 521 if (hfi1_do_pkey_check(packet)) 521 - goto drop; 522 + goto unlock_drop; 522 523 spin_lock_irqsave(&packet->qp->r_lock, flags); 523 524 packet_handler = qp_ok(packet); 524 525 if (likely(packet_handler)) ··· 528 527 ibp->rvp.n_pkt_drops++; 529 528 spin_unlock_irqrestore(&packet->qp->r_lock, flags); 530 529 } 530 + rcu_read_unlock(); 531 531 /* 532 532 * Notify rvt_multicast_detach() if it is waiting for us 533 533 * to finish.
+1
drivers/infiniband/hw/mlx5/mlx5_ib.h
··· 636 636 637 637 /* For ODP and implicit */ 638 638 atomic_t num_deferred_work; 639 + wait_queue_head_t q_deferred_work; 639 640 struct xarray implicit_children; 640 641 union { 641 642 struct rcu_head rcu;
+7 -10
drivers/infiniband/hw/mlx5/odp.c
··· 235 235 mr->parent = NULL; 236 236 mlx5_mr_cache_free(mr->dev, mr); 237 237 ib_umem_odp_release(odp); 238 - atomic_dec(&imr->num_deferred_work); 238 + if (atomic_dec_and_test(&imr->num_deferred_work)) 239 + wake_up(&imr->q_deferred_work); 239 240 } 240 241 241 242 static void free_implicit_child_mr_work(struct work_struct *work) ··· 555 554 imr->umem = &umem_odp->umem; 556 555 imr->is_odp_implicit = true; 557 556 atomic_set(&imr->num_deferred_work, 0); 557 + init_waitqueue_head(&imr->q_deferred_work); 558 558 xa_init(&imr->implicit_children); 559 559 560 560 err = mlx5_ib_update_xlt(imr, 0, ··· 613 611 * under xa_lock while the child is in the xarray. Thus at this point 614 612 * it is only decreasing, and all work holding it is now on the wq. 615 613 */ 616 - if (atomic_read(&imr->num_deferred_work)) { 617 - flush_workqueue(system_unbound_wq); 618 - WARN_ON(atomic_read(&imr->num_deferred_work)); 619 - } 614 + wait_event(imr->q_deferred_work, !atomic_read(&imr->num_deferred_work)); 620 615 621 616 /* 622 617 * Fence the imr before we destroy the children. This allows us to ··· 644 645 /* Wait for all running page-fault handlers to finish. */ 645 646 synchronize_srcu(&mr->dev->odp_srcu); 646 647 647 - if (atomic_read(&mr->num_deferred_work)) { 648 - flush_workqueue(system_unbound_wq); 649 - WARN_ON(atomic_read(&mr->num_deferred_work)); 650 - } 648 + wait_event(mr->q_deferred_work, !atomic_read(&mr->num_deferred_work)); 651 649 652 650 dma_fence_odp_mr(mr); 653 651 } ··· 1716 1720 u32 i; 1717 1721 1718 1722 for (i = 0; i < work->num_sge; ++i) 1719 - atomic_dec(&work->frags[i].mr->num_deferred_work); 1723 + if (atomic_dec_and_test(&work->frags[i].mr->num_deferred_work)) 1724 + wake_up(&work->frags[i].mr->q_deferred_work); 1720 1725 kvfree(work); 1721 1726 } 1722 1727
+2
drivers/infiniband/hw/qib/qib_verbs.c
··· 329 329 if (mcast == NULL) 330 330 goto drop; 331 331 this_cpu_inc(ibp->pmastats->n_multicast_rcv); 332 + rcu_read_lock(); 332 333 list_for_each_entry_rcu(p, &mcast->qp_list, list) 333 334 qib_qp_rcv(rcd, hdr, 1, data, tlen, p->qp); 335 + rcu_read_unlock(); 334 336 /* 335 337 * Notify rvt_multicast_detach() if it is waiting for us 336 338 * to finish.
+3 -3
drivers/infiniband/sw/siw/siw_main.c
··· 388 388 { .max_segment_size = SZ_2G }; 389 389 base_dev->num_comp_vectors = num_possible_cpus(); 390 390 391 + xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1); 392 + xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1); 393 + 391 394 ib_set_device_ops(base_dev, &siw_device_ops); 392 395 rv = ib_device_set_netdev(base_dev, netdev, 1); 393 396 if (rv) ··· 417 414 sdev->attrs.max_srq = SIW_MAX_SRQ; 418 415 sdev->attrs.max_srq_wr = SIW_MAX_SRQ_WR; 419 416 sdev->attrs.max_srq_sge = SIW_MAX_SGE; 420 - 421 - xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1); 422 - xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1); 423 417 424 418 INIT_LIST_HEAD(&sdev->cep_list); 425 419 INIT_LIST_HEAD(&sdev->qp_list);