From 35455253c4860a2294b9c4a6eb56aec945ea09f5 Mon Sep 17 00:00:00 2001 From: Arjun Vynipadath Date: Tue, 25 Sep 2018 12:35:10 +0530 Subject: [PATCH] iw_cxgb4: Cherrypicking 3 critical fixes from linux tree Contains patches for below 3 upstream commits: 308aa2b iw_cxgb4: only allow 1 flush on user qps 7b72717 iw_cxgb4: correctly enforce the max reg_mr depth 3cba33d iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() --- ...duplicate-memcpy-in-c4iw_create_list.patch | 34 ++++++++++++ ...rrectly-enforce-the-max-reg_mr-depth.patch | 34 ++++++++++++ ...cxgb4-only-allow-1-flush-on-user-qps.patch | 55 +++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch create mode 100644 linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch create mode 100644 linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch diff --git a/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch b/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch new file mode 100644 index 0000000..1baa86e --- /dev/null +++ b/linux-next-cherry-picks/0047-iw_cxgb4-remove-duplicate-memcpy-in-c4iw_create_list.patch @@ -0,0 +1,34 @@ +From da310c6000c8346cfc5dae644779d1a443d6a61b Mon Sep 17 00:00:00 2001 +From: Bharat Potnuri +Date: Fri, 15 Jun 2018 20:58:23 +0530 +Subject: [PATCH 1/3] iw_cxgb4: remove duplicate memcpy() in + c4iw_create_listen() + +memcpy() of mapped addresses is done twice in c4iw_create_listen(), +removing the duplicate memcpy(). + +Fixes: 170003c894d9 ("iw_cxgb4: remove port mapper related code") +Reviewed-by: Steve Wise +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +--- + drivers/infiniband/hw/cxgb4/cm.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index a924b05..569121e 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3482,9 +3482,6 @@ int c4iw_create_listen(struct iw_cm_id *cm_id, int backlog) + } + insert_handle(dev, &dev->stid_idr, ep, ep->stid); + +- memcpy(&ep->com.local_addr, &cm_id->m_local_addr, +- sizeof(ep->com.local_addr)); +- + state_set(&ep->com, LISTEN); + if (ep->com.local_addr.ss_family == AF_INET) + err = create_server4(dev, ep); +-- +1.8.3.1 + diff --git a/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch b/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch new file mode 100644 index 0000000..a1bcc26 --- /dev/null +++ b/linux-next-cherry-picks/0048-iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch @@ -0,0 +1,34 @@ +From b6890bd132343763a69ab24547d277555c17adc4 Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Thu, 21 Jun 2018 07:43:21 -0700 +Subject: [PATCH 2/3] iw_cxgb4: correctly enforce the max reg_mr depth + +The code was mistakenly using the length of the page array memory instead +of the depth of the page array. + +This would cause MR creation to fail in some cases. + +Fixes: 8376b86de7d3 ("iw_cxgb4: Support the new memory registration API") +Cc: stable@vger.kernel.org +Signed-off-by: Steve Wise +Signed-off-by: Jason Gunthorpe +--- + drivers/infiniband/hw/cxgb4/mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c +index 6874cf2..0bdae67 100644 +--- a/drivers/infiniband/hw/cxgb4/mem.c ++++ b/drivers/infiniband/hw/cxgb4/mem.c +@@ -784,7 +784,7 @@ static int c4iw_set_page(struct ib_mr *ibmr, u64 addr) + { + struct c4iw_mr *mhp = to_c4iw_mr(ibmr); + +- if (unlikely(mhp->mpl_len == mhp->max_mpl_len)) ++ if (unlikely(mhp->mpl_len == mhp->attr.pbl_size)) + return -ENOMEM; + + mhp->mpl[mhp->mpl_len++] = addr; +-- +1.8.3.1 + diff --git a/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch b/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch new file mode 100644 index 0000000..3cad70f --- /dev/null +++ b/linux-next-cherry-picks/0050-iw_cxgb4-only-allow-1-flush-on-user-qps.patch @@ -0,0 +1,55 @@ +From b10155900107d299d0b1f55ab21c02e3f663d53e Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Fri, 31 Aug 2018 07:15:56 -0700 +Subject: [PATCH 3/3] iw_cxgb4: only allow 1 flush on user qps + +Once the qp has been flushed, it cannot be flushed again. The user qp +flush logic wasn't enforcing it however. The bug can cause +touch-after-free crashes like: + +Unable to handle kernel paging request for data at address 0x000001ec +Faulting instruction address: 0xc008000016069100 +Oops: Kernel access of bad area, sig: 11 [#1] +... +NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4] +LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] +Call Trace: +[c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] +[c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4] +[c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core] +[c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core] +[c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm] +[c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm] +[c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm] +[c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm] +[c000000000444da4] __fput+0xe4/0x2f0 + +So fix flush_qp() to only flush the wq once. + +Cc: stable@vger.kernel.org +Signed-off-by: Steve Wise +Signed-off-by: Jason Gunthorpe +--- + drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index f3f13fc..286c2a2 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -1394,6 +1394,12 @@ static void flush_qp(struct c4iw_qp *qhp) + schp = to_c4iw_cq(qhp->ibqp.send_cq); + + if (qhp->ibqp.uobject) { ++ ++ /* for user qps, qhp->wq.flushed is protected by qhp->mutex */ ++ if (qhp->wq.flushed) ++ return; ++ ++ qhp->wq.flushed = 1; + t4_set_wq_in_error(&qhp->wq); + t4_set_cq_in_error(&rchp->cq); + spin_lock_irqsave(&rchp->comp_handler_lock, flag); +-- +1.8.3.1 + -- 2.41.0