1. 15 Mar, 2018 8 commits
  2. 14 Mar, 2018 20 commits
    • Doug Ledford's avatar
      Merge branch 'k.o/wip/dl-for-rc' into k.o/wip/dl-for-next · 2d873449
      Doug Ledford authored
      Due to bug fixes found by the syzkaller bot and taken into the for-rc
      branch after development for the 4.17 merge window had already started
      being taken into the for-next branch, there were fairly non-trivial
      merge issues that would need to be resolved between the for-rc branch
      and the for-next branch.  This merge resolves those conflicts and
      provides a unified base upon which ongoing development for 4.17 can
      be based.
      
      Conflicts:
      	drivers/infiniband/hw/mlx5/main.c - Commit 42cea83f
      	(IB/mlx5: Fix cleanup order on unload) added to for-rc and
      	commit b5ca15ad (IB/mlx5: Add proper representors support)
      	add as part of the devel cycle both needed to modify the
      	init/de-init functions used by mlx5.  To support the new
      	representors, the new functions added by the cleanup patch
      	needed to be made non-static, and the init/de-init list
      	added by the representors patch needed to be modified to
      	match the init/de-init list changes made by the cleanup
      	patch.
      Updates:
      	drivers/infiniband/hw/mlx5/mlx5_ib.h - Update function
      	prototypes added by representors patch to reflect new function
      	names as changed by cleanup patch
      	drivers/infiniband/hw/mlx5/ib_rep.c - Update init/de-init
      	stage list to match new order from cleanup patch
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      2d873449
    • Arnd Bergmann's avatar
      infiniband: bnxt_re: use BIT_ULL() for 64-bit bit masks · bd8602ca
      Arnd Bergmann authored
      On 32-bit targets, we otherwise get a warning about an impossible constant
      integer expression:
      
      In file included from include/linux/kernel.h:11,
                       from include/linux/interrupt.h:6,
                       from drivers/infiniband/hw/bnxt_re/ib_verbs.c:39:
      drivers/infiniband/hw/bnxt_re/ib_verbs.c: In function 'bnxt_re_query_device':
      include/linux/bitops.h:7:24: error: left shift count >= width of type [-Werror=shift-count-overflow]
       #define BIT(nr)   (1UL << (nr))
                              ^~
      drivers/infiniband/hw/bnxt_re/bnxt_re.h:61:34: note: in expansion of macro 'BIT'
       #define BNXT_RE_MAX_MR_SIZE_HIGH BIT(39)
                                        ^~~
      drivers/infiniband/hw/bnxt_re/bnxt_re.h:62:30: note: in expansion of macro 'BNXT_RE_MAX_MR_SIZE_HIGH'
       #define BNXT_RE_MAX_MR_SIZE  BNXT_RE_MAX_MR_SIZE_HIGH
                                    ^~~~~~~~~~~~~~~~~~~~~~~~
      drivers/infiniband/hw/bnxt_re/ib_verbs.c:149:25: note: in expansion of macro 'BNXT_RE_MAX_MR_SIZE'
        ib_attr->max_mr_size = BNXT_RE_MAX_MR_SIZE;
                               ^~~~~~~~~~~~~~~~~~~
      
      Fixes: 872f3578 ("RDMA/bnxt_re: Add support for MRs with Huge pages")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      bd8602ca
    • Arnd Bergmann's avatar
      infiniband: qplib_fp: fix pointer cast · 5388a508
      Arnd Bergmann authored
      Building for a 32-bit target results in a couple of warnings from casting
      between a 32-bit pointer and a 64-bit integer:
      
      drivers/infiniband/hw/bnxt_re/qplib_fp.c: In function 'bnxt_qplib_service_nq':
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:333:23: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
          bnxt_qplib_arm_srq((struct bnxt_qplib_srq *)q_handle,
                             ^
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:336:12: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                  (struct bnxt_qplib_srq *)q_handle,
                  ^
      In file included from include/linux/byteorder/little_endian.h:5,
                       from arch/arm/include/uapi/asm/byteorder.h:22,
                       from include/asm-generic/bitops/le.h:6,
                       from arch/arm/include/asm/bitops.h:342,
                       from include/linux/bitops.h:38,
                       from include/linux/kernel.h:11,
                       from include/linux/interrupt.h:6,
                       from drivers/infiniband/hw/bnxt_re/qplib_fp.c:39:
      drivers/infiniband/hw/bnxt_re/qplib_fp.c: In function 'bnxt_qplib_create_srq':
      include/uapi/linux/byteorder/little_endian.h:31:43: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
       #define __cpu_to_le64(x) ((__force __le64)(__u64)(x))
                                                 ^
      include/linux/byteorder/generic.h:86:21: note: in expansion of macro '__cpu_to_le64'
       #define cpu_to_le64 __cpu_to_le64
                           ^~~~~~~~~~~~~
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:569:19: note: in expansion of macro 'cpu_to_le64'
        req.srq_handle = cpu_to_le64(srq);
      
      Using a uintptr_t as an intermediate works on all architectures.
      
      Fixes: 37cb11ac ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      5388a508
    • Andrew Morton's avatar
      drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 · 06892cc1
      Andrew Morton authored
      gcc-4.4.4 has issues with initialization of anonymous unions:
      
      drivers/infiniband/ulp/srpt/ib_srpt.c: In function 'srpt_zerolength_write':
      drivers/infiniband/ulp/srpt/ib_srpt.c:854: error: unknown field 'wr_cqe' specified in initializer
      drivers/infiniband/ulp/srpt/ib_srpt.c:854: warning: initialization makes integer from pointer without a cast
      
      Work aound this.
      
      Fixes: 2a78cb4d ("IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write()")
      Cc: Bart Van Assche <bart.vanassche@wdc.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      06892cc1
    • Andrew Morton's avatar
      drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 · 6ee68773
      Andrew Morton authored
      gcc-4.4.4 has issues with initialization of anonymous unions.
      
      drivers/infiniband/core/verbs.c: In function '__ib_drain_sq':
      drivers/infiniband/core/verbs.c:2204: error: unknown field 'wr_cqe' specified in initializer
      drivers/infiniband/core/verbs.c:2204: warning: initialization makes integer from pointer without a cast
      
      Work around this.
      
      Fixes: a1ae7d03 ("RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access")
      Cc: Bart Van Assche <bart.vanassche@wdc.com>
      Cc: Steve Wise <swise@opengridcomputing.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      6ee68773
    • Mark Bloch's avatar
      IB/mlx5: Fix cleanup order on unload · 42cea83f
      Mark Bloch authored
      On load we create private CQ/QP/PD in order to be used by UMR, we create
      those resources after we register ourself as an IB device, and we destroy
      them after we unregister as an IB device. This was changed by commit
      16c1975f ("IB/mlx5: Create profile infrastructure to add and remove
      stages") which moved the destruction before we unregistration. This
      allowed to trigger an invalid memory access when unloading mlx5_ib while
      there are open resources:
      
      BUG: unable to handle kernel paging request at 00000001002c012c
      ...
      Call Trace:
       mlx5_ib_post_send_wait+0x75/0x110 [mlx5_ib]
       __slab_free+0x9a/0x2d0
       delay_time_func+0x10/0x10 [mlx5_ib]
       unreg_umr.isra.15+0x4b/0x50 [mlx5_ib]
       mlx5_mr_cache_free+0x46/0x150 [mlx5_ib]
       clean_mr+0xc9/0x190 [mlx5_ib]
       dereg_mr+0xba/0xf0 [mlx5_ib]
       ib_dereg_mr+0x13/0x20 [ib_core]
       remove_commit_idr_uobject+0x16/0x70 [ib_uverbs]
       uverbs_cleanup_ucontext+0xe8/0x1a0 [ib_uverbs]
       ib_uverbs_cleanup_ucontext.isra.9+0x19/0x40 [ib_uverbs]
       ib_uverbs_remove_one+0x162/0x2e0 [ib_uverbs]
       ib_unregister_device+0xd4/0x190 [ib_core]
       __mlx5_ib_remove+0x2e/0x40 [mlx5_ib]
       mlx5_remove_device+0xf5/0x120 [mlx5_core]
       mlx5_unregister_interface+0x37/0x90 [mlx5_core]
       mlx5_ib_cleanup+0xc/0x225 [mlx5_ib]
       SyS_delete_module+0x153/0x230
       do_syscall_64+0x62/0x110
       entry_SYSCALL_64_after_hwframe+0x21/0x86
      ...
      
      We restore the original behavior by breaking the UMR stage into two parts,
      pre and post IB registration stages, this way we can restore the original
      functionality and maintain clean separation of logic between stages.
      
      Fixes: 16c1975f ("IB/mlx5: Create profile infrastructure to add and remove stages")
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      42cea83f
    • Martin Wilck's avatar
      rdma_rxe: make rxe work over 802.1q VLAN devices · 43c9fc50
      Martin Wilck authored
      This patch fixes RDMA/rxe over 802.1q VLAN devices.
      
      Without it, I observed the following behavior:
      
      a) adding a VLAN device to RXE via rxe_net_add() creates a non-functional
         RDMA device. This is caused by the logic in enum_all_gids_of_dev_cb() /
         is_eth_port_of_netdev(), which only considers networks connected to
         "upper devices" of the configured network device, resulting in an empty
         set of gids for a VLAN interface that is an "upper device" itself.
         Later attempts to connect via this rdma device fail in cma_acuire_dev()
         because no gids can be resolved.
      
      b) adding the master device of the VLAN device instead seems to work
         initially, target addresses via VLAN devices are resolved successfully.
         But the connection times out because no 802.1q VLAN headers are
         inserted in the ethernet packets, which are therefore never received.
         This happens because the RXE layer sends the packets via the master
         device rather than the VLAN device.
      
      The problem could be solved by changing either a) or b). My thinking was
      that the logic in a) was created deliberately, thus I decided to work on
      b). It turns out that the information about the VLAN interface for the gid
      at hand is available in the AV information. My patch converts the RXE code
      to use this netdev instead of rxe->ndev. With this change, RXE over vlan
      works on my test system.
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Reviewed-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      43c9fc50
    • Leon Romanovsky's avatar
      RDMA/ucma: Don't allow join attempts for unsupported AF family · 0c81ffc6
      Leon Romanovsky authored
      Users can provide garbage while calling to ucma_join_ip_multicast(),
      it will indirectly cause to rdma_addr_size() return 0, making the
      call to ucma_process_join(), which had the right checks, but it is
      better to check the input as early as possible.
      
      The following crash from syzkaller revealed it.
      
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286
      RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12
      RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998
      R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00
      FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       memcpy include/linux/string.h:344 [inline]
       ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421
       ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633
       __vfs_write+0xef/0x970 fs/read_write.c:480
       vfs_write+0x189/0x510 fs/read_write.c:544
       SYSC_write fs/read_write.c:589 [inline]
       SyS_write+0xef/0x220 fs/read_write.c:581
       do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
       do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f9ec99
      RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100
      RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de
      55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90
      90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0
      
      Fixes: 5bc2b7b3 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
      Reported-by: <syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      0c81ffc6
    • Leon Romanovsky's avatar
      RDMA/ucma: Fix access to non-initialized CM_ID object · 7688f2c3
      Leon Romanovsky authored
      The attempt to join multicast group without ensuring that CMA device
      exists will lead to the following crash reported by syzkaller.
      
      [   64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0
      [   64.076797] Read of size 8 at addr 00000000000000b0 by task join/691
      [   64.076797]
      [   64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23
      [   64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
      [   64.076803] Call Trace:
      [   64.076809]  dump_stack+0x5c/0x77
      [   64.076817]  kasan_report+0x163/0x380
      [   64.085859]  ? rdma_join_multicast+0x26e/0x12c0
      [   64.086634]  rdma_join_multicast+0x26e/0x12c0
      [   64.087370]  ? rdma_disconnect+0xf0/0xf0
      [   64.088579]  ? __radix_tree_replace+0xc3/0x110
      [   64.089132]  ? node_tag_clear+0x81/0xb0
      [   64.089606]  ? idr_alloc_u32+0x12e/0x1a0
      [   64.090517]  ? __fprop_inc_percpu_max+0x150/0x150
      [   64.091768]  ? tracing_record_taskinfo+0x10/0xc0
      [   64.092340]  ? idr_alloc+0x76/0xc0
      [   64.092951]  ? idr_alloc_u32+0x1a0/0x1a0
      [   64.093632]  ? ucma_process_join+0x23d/0x460
      [   64.094510]  ucma_process_join+0x23d/0x460
      [   64.095199]  ? ucma_migrate_id+0x440/0x440
      [   64.095696]  ? futex_wake+0x10b/0x2a0
      [   64.096159]  ucma_join_multicast+0x88/0xe0
      [   64.096660]  ? ucma_process_join+0x460/0x460
      [   64.097540]  ? _copy_from_user+0x5e/0x90
      [   64.098017]  ucma_write+0x174/0x1f0
      [   64.098640]  ? ucma_resolve_route+0xf0/0xf0
      [   64.099343]  ? rb_erase_cached+0x6c7/0x7f0
      [   64.099839]  __vfs_write+0xc4/0x350
      [   64.100622]  ? perf_syscall_enter+0xe4/0x5f0
      [   64.101335]  ? kernel_read+0xa0/0xa0
      [   64.103525]  ? perf_sched_cb_inc+0xc0/0xc0
      [   64.105510]  ? syscall_exit_register+0x2a0/0x2a0
      [   64.107359]  ? __switch_to+0x351/0x640
      [   64.109285]  ? fsnotify+0x899/0x8f0
      [   64.111610]  ? fsnotify_unmount_inodes+0x170/0x170
      [   64.113876]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   64.115813]  ? ring_buffer_record_is_on+0xd/0x20
      [   64.117824]  ? __fget+0xa8/0xf0
      [   64.119869]  vfs_write+0xf7/0x280
      [   64.122001]  SyS_write+0xa1/0x120
      [   64.124213]  ? SyS_read+0x120/0x120
      [   64.126644]  ? SyS_read+0x120/0x120
      [   64.128563]  do_syscall_64+0xeb/0x250
      [   64.130732]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   64.132984] RIP: 0033:0x7f5c994ade99
      [   64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
      [   64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
      [   64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
      [   64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
      [   64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
      [   64.151060]
      [   64.153703] Disabling lock debugging due to kernel taint
      [   64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
      [   64.159066] IP: rdma_join_multicast+0x26e/0x12c0
      [   64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0
      [   64.164442] Oops: 0000 [#1] SMP KASAN PTI
      [   64.166817] CPU: 1 PID: 691 Comm: join Tainted: G    B 4.16.0-rc1-00219-gb97853b65b93 #23
      [   64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
      [   64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0
      [   64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282
      [   64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522
      [   64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297
      [   64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7
      [   64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000
      [   64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400
      [   64.196105] FS:  00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
      [   64.199211] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0
      [   64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   64.211554] Call Trace:
      [   64.213464]  ? rdma_disconnect+0xf0/0xf0
      [   64.216124]  ? __radix_tree_replace+0xc3/0x110
      [   64.219337]  ? node_tag_clear+0x81/0xb0
      [   64.222140]  ? idr_alloc_u32+0x12e/0x1a0
      [   64.224422]  ? __fprop_inc_percpu_max+0x150/0x150
      [   64.226588]  ? tracing_record_taskinfo+0x10/0xc0
      [   64.229763]  ? idr_alloc+0x76/0xc0
      [   64.232186]  ? idr_alloc_u32+0x1a0/0x1a0
      [   64.234505]  ? ucma_process_join+0x23d/0x460
      [   64.237024]  ucma_process_join+0x23d/0x460
      [   64.240076]  ? ucma_migrate_id+0x440/0x440
      [   64.243284]  ? futex_wake+0x10b/0x2a0
      [   64.245302]  ucma_join_multicast+0x88/0xe0
      [   64.247783]  ? ucma_process_join+0x460/0x460
      [   64.250841]  ? _copy_from_user+0x5e/0x90
      [   64.253878]  ucma_write+0x174/0x1f0
      [   64.257008]  ? ucma_resolve_route+0xf0/0xf0
      [   64.259877]  ? rb_erase_cached+0x6c7/0x7f0
      [   64.262746]  __vfs_write+0xc4/0x350
      [   64.265537]  ? perf_syscall_enter+0xe4/0x5f0
      [   64.267792]  ? kernel_read+0xa0/0xa0
      [   64.270358]  ? perf_sched_cb_inc+0xc0/0xc0
      [   64.272575]  ? syscall_exit_register+0x2a0/0x2a0
      [   64.275367]  ? __switch_to+0x351/0x640
      [   64.277700]  ? fsnotify+0x899/0x8f0
      [   64.280530]  ? fsnotify_unmount_inodes+0x170/0x170
      [   64.283156]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   64.286182]  ? ring_buffer_record_is_on+0xd/0x20
      [   64.288749]  ? __fget+0xa8/0xf0
      [   64.291136]  vfs_write+0xf7/0x280
      [   64.292972]  SyS_write+0xa1/0x120
      [   64.294965]  ? SyS_read+0x120/0x120
      [   64.297474]  ? SyS_read+0x120/0x120
      [   64.299751]  do_syscall_64+0xeb/0x250
      [   64.301826]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   64.304352] RIP: 0033:0x7f5c994ade99
      [   64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
      [   64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
      [   64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
      [   64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
      [   64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
      [   64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8
      [   64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860
      [   64.332979] CR2: 00000000000000b0
      [   64.335550] ---[ end trace 0c00c17a408849c1 ]---
      
      Reported-by: <syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com>
      Fixes: c8f6a362 ("RDMA/cma: Add multicast communication support")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      7688f2c3
    • Arnd Bergmann's avatar
      RDMA/i40iw: include linux/irq.h · baa00fcd
      Arnd Bergmann authored
      We get a build failure on ARM unless the header is included explicitly:
      
      drivers/infiniband/hw/i40iw/i40iw_verbs.c: In function 'i40iw_get_vector_affinity':
      drivers/infiniband/hw/i40iw/i40iw_verbs.c:2747:9: error: implicit declaration of function 'irq_get_affinity_mask'; did you mean 'irq_create_affinity_masks'? [-Werror=implicit-function-declaration]
        return irq_get_affinity_mask(msix_vec->irq);
               ^~~~~~~~~~~~~~~~~~~~~
               irq_create_affinity_masks
      drivers/infiniband/hw/i40iw/i40iw_verbs.c:2747:9: error: returning 'int' from a function with return type 'const struct cpumask *' makes pointer from integer without a cast [-Werror=int-conversion]
        return irq_get_affinity_mask(msix_vec->irq);
      
      Fixes: 7e952b19 ("i40iw: Implement get_vector_affinity API")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      baa00fcd
    • Ilya Lesokhin's avatar
      IB/mlx5: Maintain a single emergency page · c44ef998
      Ilya Lesokhin authored
      The mlx5 driver needs to be able to issue invalidation to ODP MRs
      even if it cannot allocate memory. To this end it preallocates
      emergency pages to use when the situation arises.
      
      This flow should be extremely rare enough, that we don't need
      to worry about contention and therefore a single emergency page
      is good enough.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      c44ef998
    • Daniel Jurgens's avatar
      IB/mlx5: Only synchronize RCU once when removing mkeys · 65edd0e7
      Daniel Jurgens authored
      Instead synchronizing RCU in a loop when removing mkeys in a batch do it
      once at the end before freeing them. The result is only waiting for one
      RCU grace period instead of many serially.
      Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      65edd0e7
    • Mark Bloch's avatar
      IB/mlx5: Expose more priorities for bypass namespace · 72f7cc09
      Mark Bloch authored
      BYPASS namespace is used by the RDMA side to insert flow rules into
      the vport RX flow tables. Currently only 8 priorities are exposed,
      increase this to 16 to allow more flexibility. This change will also
      cause the BYPASS namespace to use 32 levels (as apposed to 16 today) of
      flow tables, 16 levels for regular rules and 16 for don't trap rules.
      Reviewed-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      72f7cc09
    • Tatyana Nikolova's avatar
      RDMA/core: Do not use invalid destination in determining port reuse · 9dea9a2f
      Tatyana Nikolova authored
      cma_port_is_unique() allows local port reuse if the quad (source
      address and port, destination address and port) for this connection
      is unique. However, if the destination info is zero or unspecified, it
      can't make a correct decision but still allows port reuse. For example,
      sometimes rdma_bind_addr() is called with unspecified destination and
      reusing the port can lead to creating a connection with a duplicate quad,
      after the destination is resolved. The issue manifests when MPI scale-up
      tests hang after the duplicate quad is used.
      
      Set the destination address family and add checks for zero destination
      address and port to prevent source port reuse based on invalid destination.
      
      Fixes: 19b752a1 ("IB/cma: Allow port reuse for rdma_id")
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarTatyana Nikolova <tatyana.e.nikolova@intel.com>
      Signed-off-by: default avatarShiraz Saleem <shiraz.saleem@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      9dea9a2f
    • Bart Van Assche's avatar
      IB/srp: Fix IPv6 address parsing · c62adb7d
      Bart Van Assche authored
      Split IPv6 addresses at the colon that separates the IPv6 address
      and the port number instead of at a colon in the middle of the IPv6
      address. Check whether the IPv6 address is surrounded with square
      brackets.
      
      Fixes: 19f31343 ("IB/srp: Add RDMA/CM support")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      c62adb7d
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory · f3f134f5
      Leon Romanovsky authored
      The failure in rereg_mr flow caused to set garbage value (error value)
      into mr->umem pointer. This pointer is accessed at the release stage
      and it causes to the following crash.
      
      There is not enough to simply change umem to point to NULL, because the
      MR struct is needed to be accessed during MR deregistration phase, so
      delay kfree too.
      
      [    6.237617] BUG: unable to handle kernel NULL pointer dereference a 0000000000000228
      [    6.238756] IP: ib_dereg_mr+0xd/0x30
      [    6.239264] PGD 80000000167eb067 P4D 80000000167eb067 PUD 167f9067 PMD 0
      [    6.240320] Oops: 0000 [#1] SMP PTI
      [    6.240782] CPU: 0 PID: 367 Comm: dereg Not tainted 4.16.0-rc1-00029-gc198fafe0453 #183
      [    6.242120] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      [    6.244504] RIP: 0010:ib_dereg_mr+0xd/0x30
      [    6.245253] RSP: 0018:ffffaf5d001d7d68 EFLAGS: 00010246
      [    6.246100] RAX: 0000000000000000 RBX: ffff95d4172daf00 RCX: 0000000000000000
      [    6.247414] RDX: 00000000ffffffff RSI: 0000000000000001 RDI: ffff95d41a317600
      [    6.248591] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [    6.249810] R10: ffff95d417033c10 R11: 0000000000000000 R12: ffff95d4172c3a80
      [    6.251121] R13: ffff95d4172c3720 R14: ffff95d4172c3a98 R15: 00000000ffffffff
      [    6.252437] FS:  0000000000000000(0000) GS:ffff95d41fc00000(0000) knlGS:0000000000000000
      [    6.253887] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    6.254814] CR2: 0000000000000228 CR3: 00000000172b4000 CR4: 00000000000006b0
      [    6.255943] Call Trace:
      [    6.256368]  remove_commit_idr_uobject+0x1b/0x80
      [    6.257118]  uverbs_cleanup_ucontext+0xe4/0x190
      [    6.257855]  ib_uverbs_cleanup_ucontext.constprop.14+0x19/0x40
      [    6.258857]  ib_uverbs_close+0x2a/0x100
      [    6.259494]  __fput+0xca/0x1c0
      [    6.259938]  task_work_run+0x84/0xa0
      [    6.260519]  do_exit+0x312/0xb40
      [    6.261023]  ? __do_page_fault+0x24d/0x490
      [    6.261707]  do_group_exit+0x3a/0xa0
      [    6.262267]  SyS_exit_group+0x10/0x10
      [    6.262802]  do_syscall_64+0x75/0x180
      [    6.263391]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [    6.264253] RIP: 0033:0x7f1b39c49488
      [    6.264827] RSP: 002b:00007ffe2de05b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      [    6.266049] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1b39c49488
      [    6.267187] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      [    6.268377] RBP: 00007f1b39f258e0 R08: 00000000000000e7 R09: ffffffffffffff98
      [    6.269640] R10: 00007f1b3a147260 R11: 0000000000000246 R12: 00007f1b39f258e0
      [    6.270783] R13: 00007f1b39f2ac20 R14: 0000000000000000 R15: 0000000000000000
      [    6.271943] Code: 74 07 31 d2 e9 25 d8 6c 00 b8 da ff ff ff c3 0f 1f
      44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 07 53 48 8b
      5f 08 <48> 8b 80 28 02 00 00 e8 f7 d7 6c 00 85 c0 75 04 3e ff 4b 18 5b
      [    6.274927] RIP: ib_dereg_mr+0xd/0x30 RSP: ffffaf5d001d7d68
      [    6.275760] CR2: 0000000000000228
      [    6.276200] ---[ end trace a35641f1c474bd20 ]---
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      f3f134f5
    • Leon Romanovsky's avatar
      RDMA/verbs: Simplify modify QP check · 19b1f540
      Leon Romanovsky authored
      All callers to ib_modify_qp_is_ok() provides enum ib_qp_state
      makes the checks of out-of-scope redundant. Let's remove them
      together with updating function signature to return boolean result.
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      19b1f540
    • Leon Romanovsky's avatar
      RDMA/pvrdma: Properly annotate QP states · fbf1795c
      Leon Romanovsky authored
      QP states provided by core layer are converted to enum ib_qp_state
      and better to use internal variable in that type instead of int.
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      fbf1795c
    • Leon Romanovsky's avatar
      RDMA/uverbs: Ensure validity of current QP state value · 88de869b
      Leon Romanovsky authored
      The QP state is internal enum which is checked at the driver
      level by calling to ib_modify_qp_is_ok(). Move this check closer
      to user and leave kernel users to be checked by compiler.
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      88de869b
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs · 75a45982
      Leon Romanovsky authored
      mlx5 modify_qp() relies on FW that the error will be thrown if wrong
      state is supplied. The missing check in FW causes the following crash
      while using XRC_TGT QPs.
      
      [   14.769632] BUG: unable to handle kernel NULL pointer dereference at (null)
      [   14.771085] IP: mlx5_ib_modify_qp+0xf60/0x13f0
      [   14.771894] PGD 800000001472e067 P4D 800000001472e067 PUD 14529067 PMD 0
      [   14.773126] Oops: 0002 [#1] SMP PTI
      [   14.773763] CPU: 0 PID: 365 Comm: ubsan Not tainted 4.16.0-rc1-00038-g8151138c0793 #119
      [   14.775192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      [   14.777522] RIP: 0010:mlx5_ib_modify_qp+0xf60/0x13f0
      [   14.778417] RSP: 0018:ffffbf48001c7bd8 EFLAGS: 00010246
      [   14.779346] RAX: 0000000000000000 RBX: ffff9a8f9447d400 RCX: 0000000000000000
      [   14.780643] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000000
      [   14.781930] RBP: 0000000000000000 R08: 00000000000217b0 R09: ffffffffbc9c1504
      [   14.783214] R10: fffff4a180519480 R11: ffff9a8f94523600 R12: ffff9a8f9493e240
      [   14.784507] R13: ffff9a8f9447d738 R14: 000000000000050a R15: 0000000000000000
      [   14.785800] FS:  00007f545b466700(0000) GS:ffff9a8f9fc00000(0000) knlGS:0000000000000000
      [   14.787073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   14.787792] CR2: 0000000000000000 CR3: 00000000144be000 CR4: 00000000000006b0
      [   14.788689] Call Trace:
      [   14.789007]  _ib_modify_qp+0x71/0x120
      [   14.789475]  modify_qp.isra.20+0x207/0x2f0
      [   14.790010]  ib_uverbs_modify_qp+0x90/0xe0
      [   14.790532]  ib_uverbs_write+0x1d2/0x3c0
      [   14.791049]  ? __handle_mm_fault+0x93c/0xe40
      [   14.791644]  __vfs_write+0x36/0x180
      [   14.792096]  ? handle_mm_fault+0xc1/0x210
      [   14.792601]  vfs_write+0xad/0x1e0
      [   14.793018]  SyS_write+0x52/0xc0
      [   14.793422]  do_syscall_64+0x75/0x180
      [   14.793888]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   14.794527] RIP: 0033:0x7f545ad76099
      [   14.794975] RSP: 002b:00007ffd78787468 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   14.795958] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f545ad76099
      [   14.797075] RDX: 0000000000000078 RSI: 0000000020009000 RDI: 0000000000000003
      [   14.798140] RBP: 00007ffd78787470 R08: 00007ffd78787480 R09: 00007ffd78787480
      [   14.799207] R10: 00007ffd78787480 R11: 0000000000000287 R12: 00005599ada98760
      [   14.800277] R13: 00007ffd78787560 R14: 0000000000000000 R15: 0000000000000000
      [   14.801341] Code: 4c 8b 1c 24 48 8b 83 70 02 00 00 48 c7 83 cc 02 00
      00 00 00 00 00 48 c7 83 24 03 00 00 00 00 00 00 c7 83 2c 03 00 00 00 00
      00 00 <c7> 00 00 00 00 00 48 8b 83 70 02 00 00 c7 40 04 00 00 00 00 4c
      [   14.804012] RIP: mlx5_ib_modify_qp+0xf60/0x13f0 RSP: ffffbf48001c7bd8
      [   14.804838] CR2: 0000000000000000
      [   14.805288] ---[ end trace 3f1da0df5c8b7c37 ]---
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Reported-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      75a45982
  3. 13 Mar, 2018 10 commits
    • Zhu Yanjun's avatar
      IB: remove duplicate header files · 8a18e911
      Zhu Yanjun authored
      In hfi.h, the header file opa_addr.h is included twice.
      In vt.h, the header file mmap.h is included twice.
      Signed-off-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Acked-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      8a18e911
    • Yixian Liu's avatar
      RDMA/hns: Support cq record doorbell for kernel space · 86188a88
      Yixian Liu authored
      This patch updates to support cq record doorbell for
      the kernel space.
      Signed-off-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarWei Hu (Xavier) <xavier.huwei@huawei.com>
      Signed-off-by: default avatarShaobo Xu <xushaobo2@huawei.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      86188a88
    • Yixian Liu's avatar
      RDMA/hns: Support rq record doorbell for kernel space · 472bc0fb
      Yixian Liu authored
      This patch updates to support rq record doorbell for
      the kernel space.
      Signed-off-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarWei Hu (Xavier) <xavier.huwei@huawei.com>
      Signed-off-by: default avatarShaobo Xu <xushaobo2@huawei.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      472bc0fb
    • Yixian Liu's avatar
      RDMA/hns: Support cq record doorbell for the user space · 9b44703d
      Yixian Liu authored
      This patch updates to support cq record doorbell for
      the user space.
      Signed-off-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarWei Hu (Xavier) <xavier.huwei@huawei.com>
      Signed-off-by: default avatarShaobo Xu <xushaobo2@huawei.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      9b44703d
    • Yixian Liu's avatar
      RDMA/hns: Support rq record doorbell for the user space · e088a685
      Yixian Liu authored
      This patch adds interfaces and definitions to support the rq record
      doorbell for the user space.
      Signed-off-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarWei Hu (Xavier) <xavier.huwei@huawei.com>
      Signed-off-by: default avatarShaobo Xu <xushaobo2@huawei.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      e088a685
    • Boris Pismenny's avatar
      IB/mlx5: Fix integer overflows in mlx5_ib_create_srq · c2b37f76
      Boris Pismenny authored
      This patch validates user provided input to prevent integer overflow due
      to integer manipulation in the mlx5_ib_create_srq function.
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      c2b37f76
    • Boris Pismenny's avatar
      IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq · 2c292dbb
      Boris Pismenny authored
      Add a check for the length of the qpin structure to prevent out-of-bounds reads
      
      BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2
      Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549
      
      CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0x8d/0xd4
       print_address_description+0x73/0x290
       kasan_report+0x25c/0x370
       ? create_raw_packet_qp+0x114c/0x15e2
       memcpy+0x1f/0x50
       create_raw_packet_qp+0x114c/0x15e2
       ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d
       ? lock_acquire+0x370/0x370
       create_qp_common+0x2245/0x3b50
       ? destroy_qp_user.isra.47+0x100/0x100
       ? kasan_kmalloc+0x13d/0x170
       ? sched_clock_cpu+0x18/0x180
       ? fs_reclaim_acquire.part.15+0x5/0x30
       ? __lock_acquire+0xa11/0x1da0
       ? sched_clock_cpu+0x18/0x180
       ? kmem_cache_alloc_trace+0x17e/0x310
       ? mlx5_ib_create_qp+0x30e/0x17b0
       mlx5_ib_create_qp+0x33d/0x17b0
       ? sched_clock_cpu+0x18/0x180
       ? create_qp_common+0x3b50/0x3b50
       ? lock_acquire+0x370/0x370
       ? __radix_tree_lookup+0x180/0x220
       ? uverbs_try_lock_object+0x68/0xc0
       ? rdma_lookup_get_uobject+0x114/0x240
       create_qp.isra.5+0xce4/0x1e20
       ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0
       ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00
       ? ib_uverbs_cq_event_handler+0x160/0x160
       ? __might_fault+0x17c/0x1c0
       ib_uverbs_create_qp+0x21b/0x2a0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ib_uverbs_write+0x55a/0xad0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_open+0x760/0x760
       ? futex_wake+0x147/0x410
       ? check_prev_add+0x1680/0x1680
       ? do_futex+0x3d3/0xa60
       ? sched_clock_cpu+0x18/0x180
       __vfs_write+0xf7/0x5c0
       ? ib_uverbs_open+0x760/0x760
       ? kernel_read+0x110/0x110
       ? lock_acquire+0x370/0x370
       ? __fget+0x264/0x3b0
       vfs_write+0x18a/0x460
       SyS_write+0xc7/0x1a0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       entry_SYSCALL_64_fastpath+0x18/0x85
      RIP: 0033:0x4477b9
      RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9
      RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005
      RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff
      R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0
      
      Allocated by task 549:
       __kmalloc+0x15e/0x340
       kvmalloc_node+0xa1/0xd0
       create_user_qp.isra.46+0xd42/0x1610
       create_qp_common+0x2e63/0x3b50
       mlx5_ib_create_qp+0x33d/0x17b0
       create_qp.isra.5+0xce4/0x1e20
       ib_uverbs_create_qp+0x21b/0x2a0
       ib_uverbs_write+0x55a/0xad0
       __vfs_write+0xf7/0x5c0
       vfs_write+0x18a/0x460
       SyS_write+0xc7/0x1a0
       entry_SYSCALL_64_fastpath+0x18/0x85
      
      Freed by task 368:
       kfree+0xeb/0x2f0
       kernfs_fop_release+0x140/0x180
       __fput+0x266/0x700
       task_work_run+0x104/0x180
       exit_to_usermode_loop+0xf7/0x110
       syscall_return_slowpath+0x298/0x370
       entry_SYSCALL_64_fastpath+0x83/0x85
      
      The buggy address belongs to the object at ffff880066b99180  which
      belongs to the cache kmalloc-512 of size 512 The buggy address is
      located 272 bytes inside of  512-byte region [ffff880066b99180,
      ffff880066b99380) The buggy address belongs to the page:
      page:000000006040eedd count:1 mapcount:0 mapping:          (null)
      index:0x0 compound_mapcount: 0
      flags: 0x4000000000008100(slab|head)
      raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019
      raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
       ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Fixes: 0fb2ed66 ("IB/mlx5: Add create and destroy functionality for Raw Packet QP")
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      2c292dbb
    • Bart Van Assche's avatar
      RDMA/bnxt_re: Remove an unused variable · 036ef0a1
      Bart Van Assche authored
      This patch does not change any functionality.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Selvin Xavier <selvin.xavier@broadcom.com>
      Cc: Devesh Sharma <devesh.sharma@broadcom.com>
      Cc: Somnath Kotur <somnath.kotur@broadcom.com>
      Cc: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      036ef0a1
    • Bart Van Assche's avatar
      IB/hfi1: Fix a kernel-doc warning · 8932ff80
      Bart Van Assche authored
      Avoid that building with W=1 causes the following warning to appear:
      
      drivers/infiniband/hw/hfi1/qp.c:484: warning: Cannot understand * on line 484 - I thought it was a doc line
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
      Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      8932ff80
    • Doug Ledford's avatar
      Merge tag 'mlx5-updates-2018-02-28-2' of... · 2ea32cd6
      Doug Ledford authored
      Merge tag 'mlx5-updates-2018-02-28-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux into k.o/wip/dl-for-next
      
      mlx5-updates-2018-02-28-2 (IPSec-2)
      
      This series follows our previous one to lay out the foundations for IPSec
      in user-space and extend current kernel netdev IPSec support. As noted in
      our previous pull request cover letter "mlx5-updates-2018-02-28-1 (IPSec-1)",
      the IPSec mechanism will be supported through our flow steering mechanism.
      Therefore, we need to change the initialization order. Furthermore, IPsec
      is also supported in both egress and ingress. Since our current flow
      steering is egress only, we add an empty (only implemented through FPGA
      steering ops) egress namespace to handle that case. We also implement
      the required flow steering callbacks and logic in our FPGA driver.
      
      We extend the FPGA support for ESN and modifying a xfrm too. Therefore, we
      add support for some new FPGA command interface that supports them. The
      other required bits are added too. The new features and requirements are
      advertised via cap bits.
      
      Last but not least, we revise our driver's accel_esp API. This API will be
      shared between our netdev and IB driver, so we need to have all the required
      functionality from both worlds.
      
      Regards,
      Aviad and Matan
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      2ea32cd6
  4. 09 Mar, 2018 2 commits
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix integer overflow while resizing CQ · 28e9091e
      Leon Romanovsky authored
      The user can provide very large cqe_size which will cause to integer
      overflow as it can be seen in the following UBSAN warning:
      
      =======================================================================
      UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
      signed integer overflow:
      64870 * 65536 cannot be represented in type 'int'
      CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xde/0x164
       ? dma_virt_map_sg+0x22c/0x22c
       ubsan_epilogue+0xe/0x81
       handle_overflow+0x1f3/0x251
       ? __ubsan_handle_negate_overflow+0x19b/0x19b
       ? lock_acquire+0x440/0x440
       mlx5_ib_resize_cq+0x17e7/0x1e40
       ? cyc2ns_read_end+0x10/0x10
       ? native_read_msr_safe+0x6c/0x9b
       ? cyc2ns_read_end+0x10/0x10
       ? mlx5_ib_modify_cq+0x220/0x220
       ? sched_clock_cpu+0x18/0x200
       ? lookup_get_idr_uobject+0x200/0x200
       ? rdma_lookup_get_uobject+0x145/0x2f0
       ib_uverbs_resize_cq+0x207/0x3e0
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ib_uverbs_write+0x7f9/0xef0
       ? cyc2ns_read_end+0x10/0x10
       ? print_irqtrace_events+0x280/0x280
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ? uverbs_devnode+0x110/0x110
       ? sched_clock_cpu+0x18/0x200
       ? do_raw_spin_trylock+0x100/0x100
       ? __lru_cache_add+0x16e/0x290
       __vfs_write+0x10d/0x700
       ? uverbs_devnode+0x110/0x110
       ? kernel_read+0x170/0x170
       ? sched_clock_cpu+0x18/0x200
       ? security_file_permission+0x93/0x260
       vfs_write+0x1b0/0x550
       SyS_write+0xc7/0x1a0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       entry_SYSCALL_64_fastpath+0x1e/0x8b
      RIP: 0033:0x433549
      RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
      =======================================================================
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # 3.13
      Fixes: bde51583 ("IB/mlx5: Add support for resize CQ")
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      28e9091e
    • Doug Ledford's avatar
      Revert "RDMA/mlx5: Fix integer overflow while resizing CQ" · 212a0cbc
      Doug Ledford authored
      The original commit of this patch has a munged log message that is
      missing several of the tags the original author intended to be on the
      patch.  This was due to patchworks misinterpreting a cut-n-paste
      separator line as an end of message line and munging the mbox that was
      used to import the patch:
      
      https://patchwork.kernel.org/patch/10264089/
      
      The original patch will be reapplied with a fixed commit message so the
      proper tags are applied.
      
      This reverts commit aa0de36a.
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      212a0cbc