tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
"Nothing profound here, just a last set of long standing bug fixes:

- Incorrect error unwind in qib and pvrdma

- User triggerable NULL pointer crash in mlx5 with ODP prefetch

- syzkaller RCU race in uverbs

- Rare double free crash in ipoib"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
RDMA/core: Fix double destruction of uobject
RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
RDMA/mlx5: Fix NULL pointer dereference in destroy_prefetch_work
IB/qib: Call kobject_put() when kobject_init_and_add() fails

Linus Torvalds 6ff64d25 411ea679

+47 -25
+13 -7
drivers/infiniband/core/rdma_core.c
··· 153 153 uobj->context = NULL; 154 154 155 155 /* 156 - * For DESTROY the usecnt is held write locked, the caller is expected 157 - * to put it unlock and put the object when done with it. Only DESTROY 158 - * can remove the IDR handle. 156 + * For DESTROY the usecnt is not changed, the caller is expected to 157 + * manage it via uobj_put_destroy(). Only DESTROY can remove the IDR 158 + * handle. 159 159 */ 160 160 if (reason != RDMA_REMOVE_DESTROY) 161 161 atomic_set(&uobj->usecnt, 0); ··· 187 187 /* 188 188 * This calls uverbs_destroy_uobject() using the RDMA_REMOVE_DESTROY 189 189 * sequence. It should only be used from command callbacks. On success the 190 - * caller must pair this with rdma_lookup_put_uobject(LOOKUP_WRITE). This 190 + * caller must pair this with uobj_put_destroy(). This 191 191 * version requires the caller to have already obtained an 192 192 * LOOKUP_DESTROY uobject kref. 193 193 */ ··· 198 198 199 199 down_read(&ufile->hw_destroy_rwsem); 200 200 201 + /* 202 + * Once the uobject is destroyed by RDMA_REMOVE_DESTROY then it is left 203 + * write locked as the callers put it back with UVERBS_LOOKUP_DESTROY. 204 + * This is because any other concurrent thread can still see the object 205 + * in the xarray due to RCU. Leaving it locked ensures nothing else will 206 + * touch it. 207 + */ 201 208 ret = uverbs_try_lock_object(uobj, UVERBS_LOOKUP_WRITE); 202 209 if (ret) 203 210 goto out_unlock; ··· 223 216 /* 224 217 * uobj_get_destroy destroys the HW object and returns a handle to the uobj 225 218 * with a NULL object pointer. The caller must pair this with 226 - * uverbs_put_destroy. 219 + * uobj_put_destroy(). 227 220 */ 228 221 struct ib_uobject *__uobj_get_destroy(const struct uverbs_api_object *obj, 229 222 u32 id, struct uverbs_attr_bundle *attrs) ··· 257 250 uobj = __uobj_get_destroy(obj, id, attrs); 258 251 if (IS_ERR(uobj)) 259 252 return PTR_ERR(uobj); 260 - 261 - rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_WRITE); 253 + uobj_put_destroy(uobj); 262 254 return 0; 263 255 } 264 256
+1
drivers/infiniband/hw/mlx5/mr.c
··· 1439 1439 1440 1440 if (is_odp_mr(mr)) { 1441 1441 to_ib_umem_odp(mr->umem)->private = mr; 1442 + init_waitqueue_head(&mr->q_deferred_work); 1442 1443 atomic_set(&mr->num_deferred_work, 0); 1443 1444 err = xa_err(xa_store(&dev->odp_mkeys, 1444 1445 mlx5_base_mkey(mr->mmkey.key), &mr->mmkey,
+5 -4
drivers/infiniband/hw/qib/qib_sysfs.c
··· 760 760 qib_dev_err(dd, 761 761 "Skipping linkcontrol sysfs info, (err %d) port %u\n", 762 762 ret, port_num); 763 - goto bail; 763 + goto bail_link; 764 764 } 765 765 kobject_uevent(&ppd->pport_kobj, KOBJ_ADD); 766 766 ··· 770 770 qib_dev_err(dd, 771 771 "Skipping sl2vl sysfs info, (err %d) port %u\n", 772 772 ret, port_num); 773 - goto bail_link; 773 + goto bail_sl; 774 774 } 775 775 kobject_uevent(&ppd->sl2vl_kobj, KOBJ_ADD); 776 776 ··· 780 780 qib_dev_err(dd, 781 781 "Skipping diag_counters sysfs info, (err %d) port %u\n", 782 782 ret, port_num); 783 - goto bail_sl; 783 + goto bail_diagc; 784 784 } 785 785 kobject_uevent(&ppd->diagc_kobj, KOBJ_ADD); 786 786 ··· 793 793 qib_dev_err(dd, 794 794 "Skipping Congestion Control sysfs info, (err %d) port %u\n", 795 795 ret, port_num); 796 - goto bail_diagc; 796 + goto bail_cc; 797 797 } 798 798 799 799 kobject_uevent(&ppd->pport_cc_kobj, KOBJ_ADD); ··· 854 854 &cc_table_bin_attr); 855 855 kobject_put(&ppd->pport_cc_kobj); 856 856 } 857 + kobject_put(&ppd->diagc_kobj); 857 858 kobject_put(&ppd->sl2vl_kobj); 858 859 kobject_put(&ppd->pport_kobj); 859 860 }
+1 -1
drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c
··· 829 829 !(pci_resource_flags(pdev, 1) & IORESOURCE_MEM)) { 830 830 dev_err(&pdev->dev, "PCI BAR region not MMIO\n"); 831 831 ret = -ENOMEM; 832 - goto err_free_device; 832 + goto err_disable_pdev; 833 833 } 834 834 835 835 ret = pci_request_regions(pdev, DRV_NAME);
+4
drivers/infiniband/ulp/ipoib/ipoib.h
··· 377 377 struct ipoib_rx_buf *rx_ring; 378 378 379 379 struct ipoib_tx_buf *tx_ring; 380 + /* cyclic ring variables for managing tx_ring, for UD only */ 380 381 unsigned int tx_head; 381 382 unsigned int tx_tail; 383 + /* cyclic ring variables for counting overall outstanding send WRs */ 384 + unsigned int global_tx_head; 385 + unsigned int global_tx_tail; 382 386 struct ib_sge tx_sge[MAX_SKB_FRAGS + 1]; 383 387 struct ib_ud_wr tx_wr; 384 388 struct ib_wc send_wc[MAX_SEND_CQE];
+9 -6
drivers/infiniband/ulp/ipoib/ipoib_cm.c
··· 756 756 return; 757 757 } 758 758 759 - if ((priv->tx_head - priv->tx_tail) == ipoib_sendq_size - 1) { 759 + if ((priv->global_tx_head - priv->global_tx_tail) == 760 + ipoib_sendq_size - 1) { 760 761 ipoib_dbg(priv, "TX ring 0x%x full, stopping kernel net queue\n", 761 762 tx->qp->qp_num); 762 763 netif_stop_queue(dev); ··· 787 786 } else { 788 787 netif_trans_update(dev); 789 788 ++tx->tx_head; 790 - ++priv->tx_head; 789 + ++priv->global_tx_head; 791 790 } 792 791 } 793 792 ··· 821 820 netif_tx_lock(dev); 822 821 823 822 ++tx->tx_tail; 824 - ++priv->tx_tail; 823 + ++priv->global_tx_tail; 825 824 826 825 if (unlikely(netif_queue_stopped(dev) && 827 - (priv->tx_head - priv->tx_tail) <= ipoib_sendq_size >> 1 && 826 + ((priv->global_tx_head - priv->global_tx_tail) <= 827 + ipoib_sendq_size >> 1) && 828 828 test_bit(IPOIB_FLAG_ADMIN_UP, &priv->flags))) 829 829 netif_wake_queue(dev); 830 830 ··· 1234 1232 dev_kfree_skb_any(tx_req->skb); 1235 1233 netif_tx_lock_bh(p->dev); 1236 1234 ++p->tx_tail; 1237 - ++priv->tx_tail; 1238 - if (unlikely(priv->tx_head - priv->tx_tail == ipoib_sendq_size >> 1) && 1235 + ++priv->global_tx_tail; 1236 + if (unlikely((priv->global_tx_head - priv->global_tx_tail) <= 1237 + ipoib_sendq_size >> 1) && 1239 1238 netif_queue_stopped(p->dev) && 1240 1239 test_bit(IPOIB_FLAG_ADMIN_UP, &priv->flags)) 1241 1240 netif_wake_queue(p->dev);
+7 -2
drivers/infiniband/ulp/ipoib/ipoib_ib.c
··· 407 407 dev_kfree_skb_any(tx_req->skb); 408 408 409 409 ++priv->tx_tail; 410 + ++priv->global_tx_tail; 410 411 411 412 if (unlikely(netif_queue_stopped(dev) && 412 - ((priv->tx_head - priv->tx_tail) <= ipoib_sendq_size >> 1) && 413 + ((priv->global_tx_head - priv->global_tx_tail) <= 414 + ipoib_sendq_size >> 1) && 413 415 test_bit(IPOIB_FLAG_ADMIN_UP, &priv->flags))) 414 416 netif_wake_queue(dev); 415 417 ··· 636 634 else 637 635 priv->tx_wr.wr.send_flags &= ~IB_SEND_IP_CSUM; 638 636 /* increase the tx_head after send success, but use it for queue state */ 639 - if (priv->tx_head - priv->tx_tail == ipoib_sendq_size - 1) { 637 + if ((priv->global_tx_head - priv->global_tx_tail) == 638 + ipoib_sendq_size - 1) { 640 639 ipoib_dbg(priv, "TX ring full, stopping kernel net queue\n"); 641 640 netif_stop_queue(dev); 642 641 } ··· 665 662 666 663 rc = priv->tx_head; 667 664 ++priv->tx_head; 665 + ++priv->global_tx_head; 668 666 } 669 667 return rc; 670 668 } ··· 811 807 ipoib_dma_unmap_tx(priv, tx_req); 812 808 dev_kfree_skb_any(tx_req->skb); 813 809 ++priv->tx_tail; 810 + ++priv->global_tx_tail; 814 811 } 815 812 816 813 for (i = 0; i < ipoib_recvq_size; ++i) {
+6 -4
drivers/infiniband/ulp/ipoib/ipoib_main.c
··· 1184 1184 1185 1185 ipoib_warn(priv, "transmit timeout: latency %d msecs\n", 1186 1186 jiffies_to_msecs(jiffies - dev_trans_start(dev))); 1187 - ipoib_warn(priv, "queue stopped %d, tx_head %u, tx_tail %u\n", 1188 - netif_queue_stopped(dev), 1189 - priv->tx_head, priv->tx_tail); 1187 + ipoib_warn(priv, 1188 + "queue stopped %d, tx_head %u, tx_tail %u, global_tx_head %u, global_tx_tail %u\n", 1189 + netif_queue_stopped(dev), priv->tx_head, priv->tx_tail, 1190 + priv->global_tx_head, priv->global_tx_tail); 1191 + 1190 1192 /* XXX reset QP, etc. */ 1191 1193 } 1192 1194 ··· 1703 1701 goto out_rx_ring_cleanup; 1704 1702 } 1705 1703 1706 - /* priv->tx_head, tx_tail & tx_outstanding are already 0 */ 1704 + /* priv->tx_head, tx_tail and global_tx_tail/head are already 0 */ 1707 1705 1708 1706 if (ipoib_transport_dev_init(dev, priv->ca)) { 1709 1707 pr_warn("%s: ipoib_transport_dev_init failed\n",
+1 -1
include/rdma/uverbs_std_types.h
··· 88 88 89 89 static inline void uobj_put_destroy(struct ib_uobject *uobj) 90 90 { 91 - rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_WRITE); 91 + rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_DESTROY); 92 92 } 93 93 94 94 static inline void uobj_put_read(struct ib_uobject *uobj)