- 13 Jul, 2018 3 commits
-
-
Leon Romanovsky authored
User's supplied index is checked again total number of system pages, but this number already includes num_static_sys_pages, so addition of that value to supplied index causes to below error while trying to access sys_pages[]. BUG: KASAN: slab-out-of-bounds in bfregn_to_uar_index+0x34f/0x400 Read of size 4 at addr ffff880065561904 by task syz-executor446/314 CPU: 0 PID: 314 Comm: syz-executor446 Not tainted 4.18.0-rc1+ #256 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0xef/0x17e print_address_description+0x83/0x3b0 kasan_report+0x18d/0x4d0 bfregn_to_uar_index+0x34f/0x400 create_user_qp+0x272/0x227d create_qp_common+0x32eb/0x43e0 mlx5_ib_create_qp+0x379/0x1ca0 create_qp.isra.5+0xc94/0x22d0 ib_uverbs_create_qp+0x21b/0x2a0 ib_uverbs_write+0xc2c/0x1010 vfs_write+0x1b0/0x550 ksys_write+0xc6/0x1a0 do_syscall_64+0xa7/0x590 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x433679 Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 91 fd ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff2b3d8e48 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433679 RDX: 0000000000000040 RSI: 0000000020000240 RDI: 0000000000000003 RBP: 00000000006d4018 R08: 00000000004002f8 R09: 00000000004002f8 R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000 R13: 000000000040cb00 R14: 000000000040cb90 R15: 0000000000000006 Allocated by task 314: kasan_kmalloc+0xa0/0xd0 __kmalloc+0x1a9/0x510 mlx5_ib_alloc_ucontext+0x966/0x2620 ib_uverbs_get_context+0x23f/0xa60 ib_uverbs_write+0xc2c/0x1010 __vfs_write+0x10d/0x720 vfs_write+0x1b0/0x550 ksys_write+0xc6/0x1a0 do_syscall_64+0xa7/0x590 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 1: __kasan_slab_free+0x12e/0x180 kfree+0x159/0x630 kvfree+0x37/0x50 single_release+0x8e/0xf0 __fput+0x2d8/0x900 task_work_run+0x102/0x1f0 exit_to_usermode_loop+0x159/0x1c0 do_syscall_64+0x408/0x590 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff880065561100 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 2052 bytes inside of 4096-byte region [ffff880065561100, ffff880065562100) The buggy address belongs to the page: page:ffffea0001955800 count:1 mapcount:0 mapping:ffff88006c402480 index:0x0 compound_mapcount: 0 flags: 0x4000000000008100(slab|head) raw: 4000000000008100 ffffea0001a7c000 0000000200000002 ffff88006c402480 raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880065561800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880065561880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff880065561900: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff880065561980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880065561a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Cc: <stable@vger.kernel.org> # 4.15 Fixes: 1ee47ab3 ("IB/mlx5: Enable QP creation with a given blue flame index") Reported-by:Noa Osherovich <noaos@mellanox.com> Signed-off-by:
Leon Romanovsky <leonro@mellanox.com> Signed-off-by:
Jason Gunthorpe <jgg@mellanox.com>
-
Leon Romanovsky authored
There is no need for three consecutive calls to alloc_bfreg(). It can be implemented with one function. Signed-off-by:
-
Raju Rangoju authored
This patch adds support for iw_cxb4 to extend cqes from existing 32Byte size to 64Byte. Also includes adds backward compatibility support (for 32Byte) to work with older libraries. Signed-off-by:
Raju Rangoju <rajur@chelsio.com> Reviewed-by:
Steve Wise <swise@opengridcomputing.com> Signed-off-by:
-
- 11 Jul, 2018 11 commits
-
-
Bart Van Assche authored
Signed-off-by:
Bart Van Assche <bart.vanassche@wdc.com> Signed-off-by:
-
Bart Van Assche authored
Avoid that the following compiler warning is reported when building with gcc 8: drivers/infiniband/hw/hfi1/verbs.c:1896:2: warning: 'strncpy' output may be truncated copying 64 bytes from a string of length 64 [-Wstringop-truncation] Signed-off-by:
Dennis Dalessandro <dennis.dalessandro@intel.com> Signed-off-by:
-
oulijun authored
This patch updates the implementation of set_mac by using command queue instead of directly writing registers. Signed-off-by:
Lijun Ou <oulijun@huawei.com> Signed-off-by:
Yixian Liu <liuyixian@huawei.com> Signed-off-by:
Wei Hu (Xavier) <xavier.huwei@huawei.com> Signed-off-by:
-
oulijun authored
This patch updates the implementation of set_gid by using command queue instead of directly writing registers. Signed-off-by:
-
oulijun authored
In hip08, the TPQ(Timer Poll Queue) should be extended to host memory. This patch adds the support of TPQ. Signed-off-by:
-
oulijun authored
In hip08, TSQ(Transport Service Queue) should be extended to host memory to store the doorbells. This patch adds the support of creating TSQ, and then configured to the hardware. Signed-off-by:
-
oulijun authored
This patch removes the warnings reported by sparse. Signed-off-by:
-
Bart Van Assche authored
This patch does not change any functionality but avoids that sparse reports the following: drivers/infiniband/hw/ocrdma/ocrdma_verbs.c:1818:31: warning: context imbalance in 'ocrdma_destroy_qp' - different lock contexts for basic block Compile-tested only. Signed-off-by:
-
Arnd Bergmann authored
The nes infiniband driver uses current_kernel_time() to get a nanosecond granunarity timestamp to initialize its tcp sequence counters. This is one of only a few remaining users of that deprecated function, so we should try to get rid of it. Aside from using a deprecated API, there are several problems I see here: - Using a CLOCK_REALTIME based time source makes it predictable in case the time base is synchronized. - Using a coarse timestamp means it only gets updated once per jiffie, making it even more predictable in order to avoid having to access the hardware clock source - The upper 2 bits are always zero because the nanoseconds are at most 999999999. For the Linux TCP implementation, we use secure_tcp_seq(), which appears to be appropriate here as well, and solves all the above problems. i40iw uses a variant of the same code, so I do that same thing there for ipv4. Unlike nes, i40e also supports ipv6, which needs to call secure_tcpv6_seq instead. Acked-by:
Shiraz Saleem <shiraz.saleem@intel.com> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Bart Van Assche authored
Avoid that the compiler reports the following when building with W=1: drivers/infiniband/hw/nes/nes_utils.c: In function 'nes_arp_table': drivers/infiniband/hw/nes/nes_utils.c:689:9: warning: variable 'tmp_addr' set but not used [-Wunused-but-set-variable] __be32 tmp_addr; ^~~~~~~~ drivers/infiniband/hw/nes/nes_hw.c: In function 'flush_wqes': drivers/infiniband/hw/nes/nes_hw.c:3840:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] int ret; ^~~ drivers/infiniband/hw/nes/nes_verbs.c: In function 'nes_setup_virt_qp': drivers/infiniband/hw/nes/nes_verbs.c:811:6: warning: variable 'pbl_entries' set but not used [-Wunused-but-set-variable] u32 pbl_entries; ^~~~~~~~~~~ drivers/infiniband/hw/nes/nes_verbs.c: In function 'nes_dereg_mr': drivers/infiniband/hw/nes/nes_verbs.c:2487:6: warning: variable 'minor_code' set but not used [-Wunused-but-set-variable] u16 minor_code; ^~~~~~~~~~ drivers/infiniband/hw/nes/nes_cm.c: In function 'mini_cm_recv_pkt': drivers/infiniband/hw/nes/nes_cm.c:2570:20: warning: variable 'tmp_saddr' set but not used [-Wunused-but-set-variable] __be32 tmp_daddr, tmp_saddr; ^~~~~~~~~ drivers/infiniband/hw/nes/nes_cm.c:2570:9: warning: variable 'tmp_daddr' set but not used [-Wunused-but-set-variable] __be32 tmp_daddr, tmp_saddr; ^~~~~~~~~ drivers/infiniband/hw/nes/nes_cm.c: In function 'cm_event_connected': drivers/infiniband/hw/nes/nes_cm.c:3578:22: warning: variable 'raddr' set but not used [-Wunused-but-set-variable] struct sockaddr_in *raddr; ^~~~~ drivers/infiniband/hw/nes/nes_cm.c: In function 'cm_event_reset': drivers/infiniband/hw/nes/nes_cm.c:3753:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] int ret; ^~~ Signed-off-by: -
Jason Gunthorpe authored
In some configurations even gcc 7 cannot unravel this complexity and still throws a warning. Fixes: 4ab39e2f ("RDMA/cxgb4: Make c4iw_poll_cq_one() easier to analyze") Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Reviewed-by:
-
- 10 Jul, 2018 6 commits
-
-
Yishai Hadas authored
Enable uverbs_destroy_def_handler to be used by drivers and replace current code to use it. Signed-off-by:
Yishai Hadas <yishaih@mellanox.com> Signed-off-by:
-
Jan Dakinevich authored
An array of pointers to SRPT contexts in ib_device is over 30KiB even in default case, in which an amount of contexts is 4095. The patch is intended to weed out large contigous allocation for non-DMA memory. Signed-off-by:
Jan Dakinevich <jan.dakinevich@virtuozzo.com> Reviewed-by:
-
Artemy Kovalyov authored
Userspace also needs to know if the port requires GRHs to properly form the AVs it creates. Signed-off-by:
Artemy Kovalyov <artemyko@mellanox.com> Signed-off-by:
-
Artemy Kovalyov authored
Extend the existing grh_required flag to check when AV's are handled that a GRH is present. Since we don't want to do query_port during the AV checks for performance reasons move the flag into the immutable_data. Signed-off-by:
-
Jason Gunthorpe authored
grh_required is intended to be a global setting where all AV's will require a GRH, not just the sm_lid. Move the special logic to the creation of the SM AH. Signed-off-by:
-
Jason Gunthorpe authored
The internal flag IP_BASED_GIDS was added to a field that was being used to hold the port Info CapabilityMask without considering the effects this will have. Since most drivers just use the value from the HW MAD it means IP_BASED_GIDS will also become set on any HW that sets the IBA flag IsOtherLocalChangesNoticeSupported - which is not intended. Fix this by keeping port_cap_flags only for the IBA CapabilityMask value and store unrelated flags externally. Move the bit definitions for this to ib_mad.h to make it clear what is happening. To keep the uAPI unchanged define a new set of flags in the uapi header that are only used by ib_uverbs_query_port_resp.port_cap_flags which match the current flags supported in rdma-core, and the values exposed by the current kernel. Fixes: b4a26a27 ("IB: Report using RoCE IP based gids in port caps") Signed-off-by:
-
- 09 Jul, 2018 20 commits
-
-
Kamal Heib authored
The proper return code is -EOPNOTSUPP and not -ENOSYS when the function isn't supported, also make sure to return the right error code from ipoib_transport_dev_init() when ipoib_cm_dev_init() is supported. Signed-off-by:
Kamal Heib <kamalheib1@gmail.com> Signed-off-by:
-
Parav Pandit authored
roce_resolve_route_from_path() resolves the route based on the netdevice of the GID attribute, therefore there is no point in checking again if the route is resolved matches the same interface it arrived. Signed-off-by:
Parav Pandit <parav@mellanox.com> Signed-off-by:
-
Parav Pandit authored
It is incorrect to depend on set_id value to know if counters were allocated or not. set_id_valid field is set to true when counters were allocated. Therefore, use set_id_valid while deciding to free counters. Cc: <stable@vger.kernel.org> # 4.15 Fixes: aac4492e ("IB/mlx5: Update counter implementation for dual port RoCE") Signed-off-by:
Daniel Jurgens <danielj@mellanox.com> Signed-off-by:
-
Leon Romanovsky authored
Clean up a little bit code to drop unused port_num parameter. Signed-off-by:
-
Jason Gunthorpe authored
Instead we are now checking the function pointers directly. Get rid of both cases in ioctl and drop the nonsense idea that destroy can fail. Signed-off-by:
-
Jann Horn authored
In general, accessing userspace memory beyond the length of the supplied buffer in VFS read/write handlers can lead to both kernel memory corruption (via kernel_read()/kernel_write(), which can e.g. be triggered via sys_splice()) and privilege escalation inside userspace. In this case, the affected files are in debugfs (and should therefore only be accessible to root), and the read handlers check that *pos is zero (meaning that at least sys_splice() can't trigger kernel memory corruption). Because of the root requirement, this is not a security fix, but rather a cleanup. For the read handlers, fix it by using simple_read_from_buffer() instead of custom logic. Add min() calls to the write handlers. Fixes: 4a2da0b8 ("IB/mlx5: Add debug control parameters for congestion control") Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by:
Jann Horn <jannh@google.com> Reviewed-by:
-
Bart Van Assche authored
Fixes: 0e353e34 ("IB/core: add RW API support for signature MRs") Signed-off-by:
-
Bart Van Assche authored
Introduce the function __c4iw_poll_cq_one() such that c4iw_poll_cq_one() becomes easier to analyze for static source code analyzers. This patch avoids that sparse reports the following: drivers/infiniband/hw/cxgb4/cq.c:401:36: warning: context imbalance in 'c4iw_flush_hw_cq' - unexpected unlock drivers/infiniband/hw/cxgb4/cq.c:824:9: warning: context imbalance in 'c4iw_poll_cq_one' - different lock contexts for basic block Compile-tested only. Signed-off-by:
-
Bart Van Assche authored
Introduce the function __iwch_poll_cq_one() to make iwch_poll_cq_one() easier to analyze for static source code analyzers. This patch avoids that sparse reports the following: drivers/infiniband/hw/cxgb3/iwch_cq.c:187:9: warning: context imbalance in 'iwch_poll_cq_one' - different lock contexts for basic block Compile-tested only. Signed-off-by:
-
Bart Van Assche authored
This patch not only simplifies the error handling code in rxe_create_ah() but also removes the dead code that was left behind by commit 47ec3866 ("RDMA: Convert drivers to use sgid_attr instead of sgid_index"). Signed-off-by:
-
Bart Van Assche authored
This patch does not change any functionality. Signed-off-by:
-
Bart Van Assche authored
Signed-off-by:
-
Bart Van Assche authored
Avoid that the following compiler warning is reported when building with W=1: drivers/infiniband/hw/nes/nes_hw.c:646:51: warning: suggest braces around empty body in an 'if' statement [-Wempty-body] Signed-off-by:
-
Bart Van Assche authored
Signed-off-by:
-
Bart Van Assche authored
Remove these two functions since all their callers have been removed. See also commit ea8c2d8f ("RDMA/core: Remove unused ib cache functions"). Signed-off-by:
-
Kamal Heib authored
Make sure to use sizeof(...) instead of sizeof ... which is more preferred. Signed-off-by:
-
Kamal Heib authored
This commit replaces all the unsigned definitions in favour of 'unsigned int' which is preferred. Signed-off-by:
-
Kamal Heib authored
Use min_t() macro to avoid the casting when using min() macro, also fix the type of "length" and "wc->byte_len" to be "unsigned int" and "u32" which is the right type for each one of them. Signed-off-by:
-
Håkon Bugge authored
In cm_form_tid(), a two bit message sequence number is OR'ed into bit 31-30 of the lower TID value. After commit f06d2653 ("IB/cm: Randomize starting comm ID"), the local_id is XOR'ed with a 32-bit random value. Hence, bit 31-30 in the lower TID now has an arbitrarily value and it makes no sense to OR in the message sequence number. Adding to that, the evolution in use of IDR routines in cm_alloc_id() has always had the possibility of returning a value with bit 30 set. In addition, said bits are never checked. Hence, remove the encoding and the corresponding enum. Signed-off-by:
Håkon Bugge <haakon.bugge@oracle.com> Signed-off-by:
-
Jason Gunthorpe authored
Now that ib_uobject has a ib_uverbs_file we don't need this extra one in ib_ucq_object. Signed-off-by:
-
