1. 21 Mar, 2018 2 commits
  2. 14 Mar, 2018 4 commits
    • Arnd Bergmann's avatar
      infiniband: bnxt_re: use BIT_ULL() for 64-bit bit masks · bd8602ca
      Arnd Bergmann authored
      On 32-bit targets, we otherwise get a warning about an impossible constant
      integer expression:
      In file included from include/linux/kernel.h:11,
                       from include/linux/interrupt.h:6,
                       from drivers/infiniband/hw/bnxt_re/ib_verbs.c:39:
      drivers/infiniband/hw/bnxt_re/ib_verbs.c: In function 'bnxt_re_query_device':
      include/linux/bitops.h:7:24: error: left shift count >= width of type [-Werror=shift-count-overflow]
       #define BIT(nr)   (1UL << (nr))
      drivers/infiniband/hw/bnxt_re/bnxt_re.h:61:34: note: in expansion of macro 'BIT'
       #define BNXT_RE_MAX_MR_SIZE_HIGH BIT(39)
      drivers/infiniband/hw/bnxt_re/bnxt_re.h:62:30: note: in expansion of macro 'BNXT_RE_MAX_MR_SIZE_HIGH'
      drivers/infiniband/hw/bnxt_re/ib_verbs.c:149:25: note: in expansion of macro 'BNXT_RE_MAX_MR_SIZE'
        ib_attr->max_mr_size = BNXT_RE_MAX_MR_SIZE;
      Fixes: 872f3578
       ("RDMA/bnxt_re: Add support for MRs with Huge pages")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    • Arnd Bergmann's avatar
      infiniband: qplib_fp: fix pointer cast · 5388a508
      Arnd Bergmann authored
      Building for a 32-bit target results in a couple of warnings from casting
      between a 32-bit pointer and a 64-bit integer:
      drivers/infiniband/hw/bnxt_re/qplib_fp.c: In function 'bnxt_qplib_service_nq':
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:333:23: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
          bnxt_qplib_arm_srq((struct bnxt_qplib_srq *)q_handle,
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:336:12: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                  (struct bnxt_qplib_srq *)q_handle,
      In file included from include/linux/byteorder/little_endian.h:5,
                       from arch/arm/include/uapi/asm/byteorder.h:22,
                       from include/asm-generic/bitops/le.h:6,
                       from arch/arm/include/asm/bitops.h:342,
                       from include/linux/bitops.h:38,
                       from include/linux/kernel.h:11,
                       from include/linux/interrupt.h:6,
                       from drivers/infiniband/hw/bnxt_re/qplib_fp.c:39:
      drivers/infiniband/hw/bnxt_re/qplib_fp.c: In function 'bnxt_qplib_create_srq':
      include/uapi/linux/byteorder/little_endian.h:31:43: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
       #define __cpu_to_le64(x) ((__force __le64)(__u64)(x))
      include/linux/byteorder/generic.h:86:21: note: in expansion of macro '__cpu_to_le64'
       #define cpu_to_le64 __cpu_to_le64
      drivers/infiniband/hw/bnxt_re/qplib_fp.c:569:19: note: in expansion of macro 'cpu_to_le64'
        req.srq_handle = cpu_to_le64(srq);
      Using a uintptr_t as an intermediate works on all architectures.
      Fixes: 37cb11ac
       ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    • Mark Bloch's avatar
      IB/mlx5: Fix cleanup order on unload · 42cea83f
      Mark Bloch authored
      On load we create private CQ/QP/PD in order to be used by UMR, we create
      those resources after we register ourself as an IB device, and we destroy
      them after we unregister as an IB device. This was changed by commit
      16c1975f ("IB/mlx5: Create profile infrastructure to add and remove
      stages") which moved the destruction before we unregistration. This
      allowed to trigger an invalid memory access when unloading mlx5_ib while
      there are open resources:
      BUG: unable to handle kernel paging request at 00000001002c012c
      Call Trace:
       mlx5_ib_post_send_wait+0x75/0x110 [mlx5_ib]
       delay_time_func+0x10/0x10 [mlx5_ib]
       unreg_umr.isra.15+0x4b/0x50 [mlx5_ib]
       mlx5_mr_cache_free+0x46/0x150 [mlx5_ib]
       clean_mr+0xc9/0x190 [mlx5_ib]
       dereg_mr+0xba/0xf0 [mlx5_ib]
       ib_dereg_mr+0x13/0x20 [ib_core]
       remove_commit_idr_uobject+0x16/0x70 [ib_uverbs]
       uverbs_cleanup_ucontext+0xe8/0x1a0 [ib_uverbs]
       ib_uverbs_cleanup_ucontext.isra.9+0x19/0x40 [ib_uverbs]
       ib_uverbs_remove_one+0x162/0x2e0 [ib_uverbs]
       ib_unregister_device+0xd4/0x190 [ib_core]
       __mlx5_ib_remove+0x2e/0x40 [mlx5_ib]
       mlx5_remove_device+0xf5/0x120 [mlx5_core]
       mlx5_unregister_interface+0x37/0x90 [mlx5_core]
       mlx5_ib_cleanup+0xc/0x225 [mlx5_ib]
      We restore the original behavior by breaking the UMR stage into two parts,
      pre and post IB registration stages, this way we can restore the original
      functionality and maintain clean separation of logic between stages.
      Fixes: 16c1975f
       ("IB/mlx5: Create profile infrastructure to add and remove stages")
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory · f3f134f5
      Leon Romanovsky authored
      The failure in rereg_mr flow caused to set garbage value (error value)
      into mr->umem pointer. This pointer is accessed at the release stage
      and it causes to the following crash.
      There is not enough to simply change umem to point to NULL, because the
      MR struct is needed to be accessed during MR deregistration phase, so
      delay kfree too.
      [    6.237617] BUG: unable to handle kernel NULL pointer dereference a 0000000000000228
      [    6.238756] IP: ib_dereg_mr+0xd/0x30
      [    6.239264] PGD 80000000167eb067 P4D 80000000167eb067 PUD 167f9067 PMD 0
      [    6.240320] Oops: 0000 [#1] SMP PTI
      [    6.240782] CPU: 0 PID: 367 Comm: dereg Not tainted 4.16.0-rc1-00029-gc198fafe0453 #183
      [    6.242120] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      [    6.244504] RIP: 0010:ib_dereg_mr+0xd/0x30
      [    6.245253] RSP: 0018:ffffaf5d001d7d68 EFLAGS: 00010246
      [    6.246100] RAX: 0000000000000000 RBX: ffff95d4172daf00 RCX: 0000000000000000
      [    6.247414] RDX: 00000000ffffffff RSI: 0000000000000001 RDI: ffff95d41a317600
      [    6.248591] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
      [    6.249810] R10: ffff95d417033c10 R11: 0000000000000000 R12: ffff95d4172c3a80
      [    6.251121] R13: ffff95d4172c3720 R14: ffff95d4172c3a98 R15: 00000000ffffffff
      [    6.252437] FS:  0000000000000000(0000) GS:ffff95d41fc00000(0000) knlGS:0000000000000000
      [    6.253887] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    6.254814] CR2: 0000000000000228 CR3: 00000000172b4000 CR4: 00000000000006b0
      [    6.255943] Call Trace:
      [    6.256368]  remove_commit_idr_uobject+0x1b/0x80
      [    6.257118]  uverbs_cleanup_ucontext+0xe4/0x190
      [    6.257855]  ib_uverbs_cleanup_ucontext.constprop.14+0x19/0x40
      [    6.258857]  ib_uverbs_close+0x2a/0x100
      [    6.259494]  __fput+0xca/0x1c0
      [    6.259938]  task_work_run+0x84/0xa0
      [    6.260519]  do_exit+0x312/0xb40
      [    6.261023]  ? __do_page_fault+0x24d/0x490
      [    6.261707]  do_group_exit+0x3a/0xa0
      [    6.262267]  SyS_exit_group+0x10/0x10
      [    6.262802]  do_syscall_64+0x75/0x180
      [    6.263391]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [    6.264253] RIP: 0033:0x7f1b39c49488
      [    6.264827] RSP: 002b:00007ffe2de05b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      [    6.266049] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1b39c49488
      [    6.267187] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      [    6.268377] RBP: 00007f1b39f258e0 R08: 00000000000000e7 R09: ffffffffffffff98
      [    6.269640] R10: 00007f1b3a147260 R11: 0000000000000246 R12: 00007f1b39f258e0
      [    6.270783] R13: 00007f1b39f2ac20 R14: 0000000000000000 R15: 0000000000000000
      [    6.271943] Code: 74 07 31 d2 e9 25 d8 6c 00 b8 da ff ff ff c3 0f 1f
      44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 07 53 48 8b
      5f 08 <48> 8b 80 28 02 00 00 e8 f7 d7 6c 00 85 c0 75 04 3e ff 4b 18 5b
      [    6.274927] RIP: ib_dereg_mr+0xd/0x30 RSP: ffffaf5d001d7d68
      [    6.275760] CR2: 0000000000000228
      [    6.276200] ---[ end trace a35641f1c474bd20 ]---
      Fixes: e126ba97
       ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
  3. 13 Mar, 2018 2 commits
    • Boris Pismenny's avatar
      IB/mlx5: Fix integer overflows in mlx5_ib_create_srq · c2b37f76
      Boris Pismenny authored
      This patch validates user provided input to prevent integer overflow due
      to integer manipulation in the mlx5_ib_create_srq function.
      Cc: syzkaller <syzkaller@googlegroups.com>
      Fixes: e126ba97
       ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    • Boris Pismenny's avatar
      IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq · 2c292dbb
      Boris Pismenny authored
      Add a check for the length of the qpin structure to prevent out-of-bounds reads
      BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2
      Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549
      CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       ? create_raw_packet_qp+0x114c/0x15e2
       ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d
       ? lock_acquire+0x370/0x370
       ? destroy_qp_user.isra.47+0x100/0x100
       ? kasan_kmalloc+0x13d/0x170
       ? sched_clock_cpu+0x18/0x180
       ? fs_reclaim_acquire.part.15+0x5/0x30
       ? __lock_acquire+0xa11/0x1da0
       ? sched_clock_cpu+0x18/0x180
       ? kmem_cache_alloc_trace+0x17e/0x310
       ? mlx5_ib_create_qp+0x30e/0x17b0
       ? sched_clock_cpu+0x18/0x180
       ? create_qp_common+0x3b50/0x3b50
       ? lock_acquire+0x370/0x370
       ? __radix_tree_lookup+0x180/0x220
       ? uverbs_try_lock_object+0x68/0xc0
       ? rdma_lookup_get_uobject+0x114/0x240
       ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0
       ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00
       ? ib_uverbs_cq_event_handler+0x160/0x160
       ? __might_fault+0x17c/0x1c0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_open+0x760/0x760
       ? futex_wake+0x147/0x410
       ? check_prev_add+0x1680/0x1680
       ? do_futex+0x3d3/0xa60
       ? sched_clock_cpu+0x18/0x180
       ? ib_uverbs_open+0x760/0x760
       ? kernel_read+0x110/0x110
       ? lock_acquire+0x370/0x370
       ? __fget+0x264/0x3b0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
      RIP: 0033:0x4477b9
      RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9
      RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005
      RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff
      R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0
      Allocated by task 549:
      Freed by task 368:
      The buggy address belongs to the object at ffff880066b99180  which
      belongs to the cache kmalloc-512 of size 512 The buggy address is
      located 272 bytes inside of  512-byte region [ffff880066b99180,
      ffff880066b99380) The buggy address belongs to the page:
      page:000000006040eedd count:1 mapcount:0 mapping:          (null)
      index:0x0 compound_mapcount: 0
      flags: 0x4000000000008100(slab|head)
      raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019
      raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      Cc: syzkaller <syzkaller@googlegroups.com>
      Fixes: 0fb2ed66
       ("IB/mlx5: Add create and destroy functionality for Raw Packet QP")
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
  4. 09 Mar, 2018 2 commits
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix integer overflow while resizing CQ · 28e9091e
      Leon Romanovsky authored
      The user can provide very large cqe_size which will cause to integer
      overflow as it can be seen in the following UBSAN warning:
      UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
      signed integer overflow:
      64870 * 65536 cannot be represented in type 'int'
      CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       ? dma_virt_map_sg+0x22c/0x22c
       ? __ubsan_handle_negate_overflow+0x19b/0x19b
       ? lock_acquire+0x440/0x440
       ? cyc2ns_read_end+0x10/0x10
       ? native_read_msr_safe+0x6c/0x9b
       ? cyc2ns_read_end+0x10/0x10
       ? mlx5_ib_modify_cq+0x220/0x220
       ? sched_clock_cpu+0x18/0x200
       ? lookup_get_idr_uobject+0x200/0x200
       ? rdma_lookup_get_uobject+0x145/0x2f0
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ? cyc2ns_read_end+0x10/0x10
       ? print_irqtrace_events+0x280/0x280
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ? uverbs_devnode+0x110/0x110
       ? sched_clock_cpu+0x18/0x200
       ? do_raw_spin_trylock+0x100/0x100
       ? __lru_cache_add+0x16e/0x290
       ? uverbs_devnode+0x110/0x110
       ? kernel_read+0x170/0x170
       ? sched_clock_cpu+0x18/0x200
       ? security_file_permission+0x93/0x260
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
      RIP: 0033:0x433549
      RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # 3.13
      Fixes: bde51583
       ("IB/mlx5: Add support for resize CQ")
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    • Doug Ledford's avatar
      Revert "RDMA/mlx5: Fix integer overflow while resizing CQ" · 212a0cbc
      Doug Ledford authored
      The original commit of this patch has a munged log message that is
      missing several of the tags the original author intended to be on the
      patch.  This was due to patchworks misinterpreting a cut-n-paste
      separator line as an end of message line and munging the mbox that was
      used to import the patch:
      The original patch will be reapplied with a fixed commit message so the
      proper tags are applied.
      This reverts commit aa0de36a
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
  5. 07 Mar, 2018 10 commits
  6. 28 Feb, 2018 7 commits
  7. 20 Feb, 2018 5 commits
  8. 15 Feb, 2018 1 commit
  9. 11 Feb, 2018 1 commit
    • Linus Torvalds's avatar
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds authored
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
      with de-mangling cleanups yet to come.
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  10. 05 Feb, 2018 1 commit
    • oulijun's avatar
      RDMA/hns: Fix the endian problem for hns · 8b9b8d14
      oulijun authored
      The hip06 and hip08 run on a little endian ARM, it needs to
      revise the annotations to indicate that the HW uses little
      endian data in the various DMA buffers, and flow the necessary
      swaps throughout.
      The imm_data use big endian mode. The cpu_to_le32/le32_to_cpu
      swaps are no-op for this, which makes the only substantive
      change the handling of imm_data which is now mandatory swapped.
      This also keep match with the userspace hns driver and resolve
      the warning by sparse.
      Signed-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
  11. 01 Feb, 2018 5 commits