tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
"It has been fairly silent lately on our -rc front. Big queue of
patches on the mailing list going to for-next though.

Bug fixes:
- qedr driver bugfixes causing application hangs, wrong uapi errnos,
and a race condition
- three syzkaller found bugfixes in the ucma uapi

Regression fixes for things introduced in 4.16:
- Crash on error introduced in mlx5 UMR flow
- Crash on module unload/etc introduced by bad interaction of
restrack and mlx5 patches this cycle
- Typo in a two line syzkaller bugfix causing a bad regression
- Coverity report of nonsense code in hns driver"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/ucma: Introduce safer rdma_addr_size() variants
RDMA/hns: ensure for-loop actually iterates and free's buffers
RDMA/ucma: Check that device exists prior to accessing it
RDMA/ucma: Check that device is connected prior to access it
RDMA/rdma_cm: Fix use after free race with process_one_req
RDMA/qedr: Fix QP state initialization race
RDMA/qedr: Fix rc initialization on CNQ allocation failure
RDMA/qedr: fix QP's ack timeout configuration
RDMA/ucma: Correct option size check using optlen
RDMA/restrack: Move restrack_clean to be symmetrical to restrack_init
IB/mlx5: Don't clean uninitialized UMR resources

Linus Torvalds d89b9f50 ab12762b

+102 -40
+25
drivers/infiniband/core/addr.c
··· 207 207 } 208 208 EXPORT_SYMBOL(rdma_addr_size); 209 209 210 + int rdma_addr_size_in6(struct sockaddr_in6 *addr) 211 + { 212 + int ret = rdma_addr_size((struct sockaddr *) addr); 213 + 214 + return ret <= sizeof(*addr) ? ret : 0; 215 + } 216 + EXPORT_SYMBOL(rdma_addr_size_in6); 217 + 218 + int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr) 219 + { 220 + int ret = rdma_addr_size((struct sockaddr *) addr); 221 + 222 + return ret <= sizeof(*addr) ? ret : 0; 223 + } 224 + EXPORT_SYMBOL(rdma_addr_size_kss); 225 + 210 226 static struct rdma_addr_client self; 211 227 212 228 void rdma_addr_register_client(struct rdma_addr_client *client) ··· 601 585 } 602 586 list_del(&req->list); 603 587 mutex_unlock(&lock); 588 + 589 + /* 590 + * Although the work will normally have been canceled by the 591 + * workqueue, it can still be requeued as long as it is on the 592 + * req_list, so it could have been requeued before we grabbed &lock. 593 + * We need to cancel it after it is removed from req_list to really be 594 + * sure it is safe to free. 595 + */ 596 + cancel_delayed_work(&req->work); 604 597 605 598 req->callback(req->status, (struct sockaddr *)&req->src_addr, 606 599 req->addr, req->context);
+1 -2
drivers/infiniband/core/device.c
··· 290 290 { 291 291 WARN_ON(device->reg_state != IB_DEV_UNREGISTERED && 292 292 device->reg_state != IB_DEV_UNINITIALIZED); 293 + rdma_restrack_clean(&device->res); 293 294 put_device(&device->dev); 294 295 } 295 296 EXPORT_SYMBOL(ib_dealloc_device); ··· 600 599 context->client->remove(device, context->data); 601 600 } 602 601 up_read(&lists_rwsem); 603 - 604 - rdma_restrack_clean(&device->res); 605 602 606 603 ib_device_unregister_rdmacg(device); 607 604 ib_device_unregister_sysfs(device);
+27 -20
drivers/infiniband/core/ucma.c
··· 632 632 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 633 633 return -EFAULT; 634 634 635 + if (!rdma_addr_size_in6(&cmd.addr)) 636 + return -EINVAL; 637 + 635 638 ctx = ucma_get_ctx(file, cmd.id); 636 639 if (IS_ERR(ctx)) 637 640 return PTR_ERR(ctx); ··· 648 645 int in_len, int out_len) 649 646 { 650 647 struct rdma_ucm_bind cmd; 651 - struct sockaddr *addr; 652 648 struct ucma_context *ctx; 653 649 int ret; 654 650 655 651 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 656 652 return -EFAULT; 657 653 658 - addr = (struct sockaddr *) &cmd.addr; 659 - if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr))) 654 + if (cmd.reserved || !cmd.addr_size || 655 + cmd.addr_size != rdma_addr_size_kss(&cmd.addr)) 660 656 return -EINVAL; 661 657 662 658 ctx = ucma_get_ctx(file, cmd.id); 663 659 if (IS_ERR(ctx)) 664 660 return PTR_ERR(ctx); 665 661 666 - ret = rdma_bind_addr(ctx->cm_id, addr); 662 + ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr); 667 663 ucma_put_ctx(ctx); 668 664 return ret; 669 665 } ··· 672 670 int in_len, int out_len) 673 671 { 674 672 struct rdma_ucm_resolve_ip cmd; 675 - struct sockaddr *src, *dst; 676 673 struct ucma_context *ctx; 677 674 int ret; 678 675 679 676 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 680 677 return -EFAULT; 681 678 682 - src = (struct sockaddr *) &cmd.src_addr; 683 - dst = (struct sockaddr *) &cmd.dst_addr; 684 - if (!rdma_addr_size(src) || !rdma_addr_size(dst)) 679 + if (!rdma_addr_size_in6(&cmd.src_addr) || 680 + !rdma_addr_size_in6(&cmd.dst_addr)) 685 681 return -EINVAL; 686 682 687 683 ctx = ucma_get_ctx(file, cmd.id); 688 684 if (IS_ERR(ctx)) 689 685 return PTR_ERR(ctx); 690 686 691 - ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms); 687 + ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, 688 + (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); 692 689 ucma_put_ctx(ctx); 693 690 return ret; 694 691 } ··· 697 696 int in_len, int out_len) 698 697 { 699 698 struct rdma_ucm_resolve_addr cmd; 700 - struct sockaddr *src, *dst; 701 699 struct ucma_context *ctx; 702 700 int ret; 703 701 704 702 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 705 703 return -EFAULT; 706 704 707 - src = (struct sockaddr *) &cmd.src_addr; 708 - dst = (struct sockaddr *) &cmd.dst_addr; 709 - if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) || 710 - !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst))) 705 + if (cmd.reserved || 706 + (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) || 707 + !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr))) 711 708 return -EINVAL; 712 709 713 710 ctx = ucma_get_ctx(file, cmd.id); 714 711 if (IS_ERR(ctx)) 715 712 return PTR_ERR(ctx); 716 713 717 - ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms); 714 + ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr, 715 + (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms); 718 716 ucma_put_ctx(ctx); 719 717 return ret; 720 718 } ··· 1166 1166 if (IS_ERR(ctx)) 1167 1167 return PTR_ERR(ctx); 1168 1168 1169 + if (!ctx->cm_id->device) { 1170 + ret = -EINVAL; 1171 + goto out; 1172 + } 1173 + 1169 1174 resp.qp_attr_mask = 0; 1170 1175 memset(&qp_attr, 0, sizeof qp_attr); 1171 1176 qp_attr.qp_state = cmd.qp_state; ··· 1312 1307 if (IS_ERR(ctx)) 1313 1308 return PTR_ERR(ctx); 1314 1309 1315 - if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) 1310 + if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) 1316 1311 return -EINVAL; 1317 1312 1318 1313 optval = memdup_user((void __user *) (unsigned long) cmd.optval, ··· 1336 1331 { 1337 1332 struct rdma_ucm_notify cmd; 1338 1333 struct ucma_context *ctx; 1339 - int ret; 1334 + int ret = -EINVAL; 1340 1335 1341 1336 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 1342 1337 return -EFAULT; ··· 1345 1340 if (IS_ERR(ctx)) 1346 1341 return PTR_ERR(ctx); 1347 1342 1348 - ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event); 1343 + if (ctx->cm_id->device) 1344 + ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event); 1345 + 1349 1346 ucma_put_ctx(ctx); 1350 1347 return ret; 1351 1348 } ··· 1433 1426 join_cmd.response = cmd.response; 1434 1427 join_cmd.uid = cmd.uid; 1435 1428 join_cmd.id = cmd.id; 1436 - join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); 1429 + join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr); 1437 1430 if (!join_cmd.addr_size) 1438 1431 return -EINVAL; 1439 1432 ··· 1452 1445 if (copy_from_user(&cmd, inbuf, sizeof(cmd))) 1453 1446 return -EFAULT; 1454 1447 1455 - if (!rdma_addr_size((struct sockaddr *)&cmd.addr)) 1448 + if (!rdma_addr_size_kss(&cmd.addr)) 1456 1449 return -EINVAL; 1457 1450 1458 1451 return ucma_process_join(file, &cmd, out_len);
+1 -1
drivers/infiniband/hw/hns/hns_roce_hw_v2.c
··· 4383 4383 eq->l0_dma = 0; 4384 4384 4385 4385 if (mhop_num == 1) 4386 - for (i -= i; i >= 0; i--) 4386 + for (i -= 1; i >= 0; i--) 4387 4387 dma_free_coherent(dev, buf_chk_sz, eq->buf[i], 4388 4388 eq->buf_dma[i]); 4389 4389 else if (mhop_num == 2) {
+9 -3
drivers/infiniband/hw/mlx5/main.c
··· 3448 3448 if (err) 3449 3449 mlx5_ib_warn(dev, "mr cache cleanup failed\n"); 3450 3450 3451 - mlx5_ib_destroy_qp(dev->umrc.qp); 3452 - ib_free_cq(dev->umrc.cq); 3453 - ib_dealloc_pd(dev->umrc.pd); 3451 + if (dev->umrc.qp) 3452 + mlx5_ib_destroy_qp(dev->umrc.qp); 3453 + if (dev->umrc.cq) 3454 + ib_free_cq(dev->umrc.cq); 3455 + if (dev->umrc.pd) 3456 + ib_dealloc_pd(dev->umrc.pd); 3454 3457 } 3455 3458 3456 3459 enum { ··· 3555 3552 3556 3553 error_4: 3557 3554 mlx5_ib_destroy_qp(qp); 3555 + dev->umrc.qp = NULL; 3558 3556 3559 3557 error_3: 3560 3558 ib_free_cq(cq); 3559 + dev->umrc.cq = NULL; 3561 3560 3562 3561 error_2: 3563 3562 ib_dealloc_pd(pd); 3563 + dev->umrc.pd = NULL; 3564 3564 3565 3565 error_0: 3566 3566 kfree(attr);
+3
drivers/infiniband/hw/mlx5/mr.c
··· 739 739 { 740 740 int i; 741 741 742 + if (!dev->cache.wq) 743 + return 0; 744 + 742 745 dev->cache.stopped = 1; 743 746 flush_workqueue(dev->cache.wq); 744 747
+2 -1
drivers/infiniband/hw/qedr/main.c
··· 833 833 834 834 dev->num_cnq = dev->ops->rdma_get_min_cnq_msix(cdev); 835 835 if (!dev->num_cnq) { 836 - DP_ERR(dev, "not enough CNQ resources.\n"); 836 + DP_ERR(dev, "Failed. At least one CNQ is required.\n"); 837 + rc = -ENOMEM; 837 838 goto init_err; 838 839 } 839 840
+32 -13
drivers/infiniband/hw/qedr/verbs.c
··· 1841 1841 1842 1842 static int qedr_update_qp_state(struct qedr_dev *dev, 1843 1843 struct qedr_qp *qp, 1844 + enum qed_roce_qp_state cur_state, 1844 1845 enum qed_roce_qp_state new_state) 1845 1846 { 1846 1847 int status = 0; 1847 1848 1848 - if (new_state == qp->state) 1849 + if (new_state == cur_state) 1849 1850 return 0; 1850 1851 1851 - switch (qp->state) { 1852 + switch (cur_state) { 1852 1853 case QED_ROCE_QP_STATE_RESET: 1853 1854 switch (new_state) { 1854 1855 case QED_ROCE_QP_STATE_INIT: ··· 1956 1955 struct qedr_dev *dev = get_qedr_dev(&qp->dev->ibdev); 1957 1956 const struct ib_global_route *grh = rdma_ah_read_grh(&attr->ah_attr); 1958 1957 enum ib_qp_state old_qp_state, new_qp_state; 1958 + enum qed_roce_qp_state cur_state; 1959 1959 int rc = 0; 1960 1960 1961 1961 DP_DEBUG(dev, QEDR_MSG_QP, ··· 2088 2086 SET_FIELD(qp_params.modify_flags, 2089 2087 QED_ROCE_MODIFY_QP_VALID_ACK_TIMEOUT, 1); 2090 2088 2091 - qp_params.ack_timeout = attr->timeout; 2092 - if (attr->timeout) { 2093 - u32 temp; 2094 - 2095 - temp = 4096 * (1UL << attr->timeout) / 1000 / 1000; 2096 - /* FW requires [msec] */ 2097 - qp_params.ack_timeout = temp; 2098 - } else { 2099 - /* Infinite */ 2089 + /* The received timeout value is an exponent used like this: 2090 + * "12.7.34 LOCAL ACK TIMEOUT 2091 + * Value representing the transport (ACK) timeout for use by 2092 + * the remote, expressed as: 4.096 * 2^timeout [usec]" 2093 + * The FW expects timeout in msec so we need to divide the usec 2094 + * result by 1000. We'll approximate 1000~2^10, and 4.096 ~ 2^2, 2095 + * so we get: 2^2 * 2^timeout / 2^10 = 2^(timeout - 8). 2096 + * The value of zero means infinite so we use a 'max_t' to make 2097 + * sure that sub 1 msec values will be configured as 1 msec. 2098 + */ 2099 + if (attr->timeout) 2100 + qp_params.ack_timeout = 2101 + 1 << max_t(int, attr->timeout - 8, 0); 2102 + else 2100 2103 qp_params.ack_timeout = 0; 2101 - } 2102 2104 } 2105 + 2103 2106 if (attr_mask & IB_QP_RETRY_CNT) { 2104 2107 SET_FIELD(qp_params.modify_flags, 2105 2108 QED_ROCE_MODIFY_QP_VALID_RETRY_CNT, 1); ··· 2177 2170 qp->dest_qp_num = attr->dest_qp_num; 2178 2171 } 2179 2172 2173 + cur_state = qp->state; 2174 + 2175 + /* Update the QP state before the actual ramrod to prevent a race with 2176 + * fast path. Modifying the QP state to error will cause the device to 2177 + * flush the CQEs and while polling the flushed CQEs will considered as 2178 + * a potential issue if the QP isn't in error state. 2179 + */ 2180 + if ((attr_mask & IB_QP_STATE) && qp->qp_type != IB_QPT_GSI && 2181 + !udata && qp_params.new_state == QED_ROCE_QP_STATE_ERR) 2182 + qp->state = QED_ROCE_QP_STATE_ERR; 2183 + 2180 2184 if (qp->qp_type != IB_QPT_GSI) 2181 2185 rc = dev->ops->rdma_modify_qp(dev->rdma_ctx, 2182 2186 qp->qed_qp, &qp_params); 2183 2187 2184 2188 if (attr_mask & IB_QP_STATE) { 2185 2189 if ((qp->qp_type != IB_QPT_GSI) && (!udata)) 2186 - rc = qedr_update_qp_state(dev, qp, qp_params.new_state); 2190 + rc = qedr_update_qp_state(dev, qp, cur_state, 2191 + qp_params.new_state); 2187 2192 qp->state = qp_params.new_state; 2188 2193 } 2189 2194
+2
include/rdma/ib_addr.h
··· 130 130 const unsigned char *dst_dev_addr); 131 131 132 132 int rdma_addr_size(struct sockaddr *addr); 133 + int rdma_addr_size_in6(struct sockaddr_in6 *addr); 134 + int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr); 133 135 134 136 int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid, 135 137 const union ib_gid *dgid,