iw_cxgb4: Cherrypicking 3 critical fixes from linux tree

Contains patches for below 3 upstream commits:
308aa2b iw_cxgb4: only allow 1 flush on user qps
7b72717 iw_cxgb4: correctly enforce the max reg_mr depth
3cba33d iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen()

diff --git a/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch b/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch
new file mode 100644 (file)
index 0000000..1baa86e
--- /dev/null
+++ b/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch
@@ -0,0 +1,34 @@
+From da310c6000c8346cfc5dae644779d1a443d6a61b Mon Sep 17 00:00:00 2001
+From: Bharat Potnuri <bharat@chelsio.com>
+Date: Fri, 15 Jun 2018 20:58:23 +0530
+Subject: [PATCH 1/3] iw_cxgb4: remove duplicate memcpy() in
+ c4iw_create_listen()
+
+memcpy() of mapped addresses is done twice in c4iw_create_listen(),
+removing the duplicate memcpy().
+
+Fixes: 170003c894d9 ("iw_cxgb4: remove port mapper related code")
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index a924b05..569121e 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -3482,9 +3482,6 @@ int c4iw_create_listen(struct iw_cm_id *cm_id, int backlog)
+       }
+       insert_handle(dev, &dev->stid_idr, ep, ep->stid);
+ 
+-      memcpy(&ep->com.local_addr, &cm_id->m_local_addr,
+-             sizeof(ep->com.local_addr));
+-
+       state_set(&ep->com, LISTEN);
+       if (ep->com.local_addr.ss_family == AF_INET)
+               err = create_server4(dev, ep);
+-- 
+1.8.3.1
+

diff --git a/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch b/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch
new file mode 100644 (file)
index 0000000..a1bcc26
--- /dev/null
+++ b/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch
@@ -0,0 +1,34 @@
+From b6890bd132343763a69ab24547d277555c17adc4 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Thu, 21 Jun 2018 07:43:21 -0700
+Subject: [PATCH 2/3] iw_cxgb4: correctly enforce the max reg_mr depth
+
+The code was mistakenly using the length of the page array memory instead
+of the depth of the page array.
+
+This would cause MR creation to fail in some cases.
+
+Fixes: 8376b86de7d3 ("iw_cxgb4: Support the new memory registration API")
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+---
+ drivers/infiniband/hw/cxgb4/mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
+index 6874cf2..0bdae67 100644
+--- a/drivers/infiniband/hw/cxgb4/mem.c
++++ b/drivers/infiniband/hw/cxgb4/mem.c
+@@ -784,7 +784,7 @@ static int c4iw_set_page(struct ib_mr *ibmr, u64 addr)
+ {
+       struct c4iw_mr *mhp = to_c4iw_mr(ibmr);
+ 
+-      if (unlikely(mhp->mpl_len == mhp->max_mpl_len))
++      if (unlikely(mhp->mpl_len == mhp->attr.pbl_size))
+               return -ENOMEM;
+ 
+       mhp->mpl[mhp->mpl_len++] = addr;
+-- 
+1.8.3.1
+

diff --git a/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch b/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch
new file mode 100644 (file)
index 0000000..3cad70f
--- /dev/null
+++ b/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch
@@ -0,0 +1,55 @@
+From b10155900107d299d0b1f55ab21c02e3f663d53e Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 31 Aug 2018 07:15:56 -0700
+Subject: [PATCH 3/3] iw_cxgb4: only allow 1 flush on user qps
+
+Once the qp has been flushed, it cannot be flushed again.  The user qp
+flush logic wasn't enforcing it however.  The bug can cause
+touch-after-free crashes like:
+
+Unable to handle kernel paging request for data at address 0x000001ec
+Faulting instruction address: 0xc008000016069100
+Oops: Kernel access of bad area, sig: 11 [#1]
+...
+NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
+LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+Call Trace:
+[c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+[c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
+[c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
+[c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
+[c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
+[c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
+[c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
+[c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
+[c000000000444da4] __fput+0xe4/0x2f0
+
+So fix flush_qp() to only flush the wq once.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index f3f13fc..286c2a2 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -1394,6 +1394,12 @@ static void flush_qp(struct c4iw_qp *qhp)
+       schp = to_c4iw_cq(qhp->ibqp.send_cq);
+ 
+       if (qhp->ibqp.uobject) {
++
++              /* for user qps, qhp->wq.flushed is protected by qhp->mutex */
++              if (qhp->wq.flushed)
++                      return;
++
++              qhp->wq.flushed = 1;
+               t4_set_wq_in_error(&qhp->wq);
+               t4_set_cq_in_error(&rchp->cq);
+               spin_lock_irqsave(&rchp->comp_handler_lock, flag);
+-- 
+1.8.3.1
+