Commit f3d4c89e authored by Roland Dreier's avatar Roland Dreier

mlx4_core: Fix crash on uninitialized priv->cmd.slave_sem

On an SR-IOV master device, __mlx4_init_one() calls mlx4_init_hca()
before mlx4_multi_func_init().  However, for unlucky configurations,
mlx4_init_hca() might call mlx4_SENSE_PORT() (via mlx4_dev_cap()), and
that calls mlx4_cmd_imm() with MLX4_CMD_WRAPPED set.

However, on a multifunction device with MLX4_CMD_WRAPPED, __mlx4_cmd()
calls into mlx4_slave_cmd(), and that immediately tries to do

	down(&priv->cmd.slave_sem);

but priv->cmd.slave_sem isn't initialized until mlx4_multi_func_init()
(which we haven't called yet).  The next thing it tries to do is access
priv->mfunc.vhcr, but that hasn't been allocated yet.

Fix this by moving the initialization of slave_sem and vhcr up into
mlx4_cmd_init(). Also, since slave_sem is really just being used as a
mutex, convert it into a slave_cmd_mutex.
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent 84b1f153
...@@ -395,7 +395,8 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param, ...@@ -395,7 +395,8 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
struct mlx4_vhcr_cmd *vhcr = priv->mfunc.vhcr; struct mlx4_vhcr_cmd *vhcr = priv->mfunc.vhcr;
int ret; int ret;
down(&priv->cmd.slave_sem); mutex_lock(&priv->cmd.slave_cmd_mutex);
vhcr->in_param = cpu_to_be64(in_param); vhcr->in_param = cpu_to_be64(in_param);
vhcr->out_param = out_param ? cpu_to_be64(*out_param) : 0; vhcr->out_param = out_param ? cpu_to_be64(*out_param) : 0;
vhcr->in_modifier = cpu_to_be32(in_modifier); vhcr->in_modifier = cpu_to_be32(in_modifier);
...@@ -403,6 +404,7 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param, ...@@ -403,6 +404,7 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
vhcr->token = cpu_to_be16(CMD_POLL_TOKEN); vhcr->token = cpu_to_be16(CMD_POLL_TOKEN);
vhcr->status = 0; vhcr->status = 0;
vhcr->flags = !!(priv->cmd.use_events) << 6; vhcr->flags = !!(priv->cmd.use_events) << 6;
if (mlx4_is_master(dev)) { if (mlx4_is_master(dev)) {
ret = mlx4_master_process_vhcr(dev, dev->caps.function, vhcr); ret = mlx4_master_process_vhcr(dev, dev->caps.function, vhcr);
if (!ret) { if (!ret) {
...@@ -439,7 +441,8 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param, ...@@ -439,7 +441,8 @@ static int mlx4_slave_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
mlx4_err(dev, "failed execution of VHCR_POST command" mlx4_err(dev, "failed execution of VHCR_POST command"
"opcode 0x%x\n", op); "opcode 0x%x\n", op);
} }
up(&priv->cmd.slave_sem);
mutex_unlock(&priv->cmd.slave_cmd_mutex);
return ret; return ret;
} }
...@@ -1559,14 +1562,15 @@ static void mlx4_master_do_cmd(struct mlx4_dev *dev, int slave, u8 cmd, ...@@ -1559,14 +1562,15 @@ static void mlx4_master_do_cmd(struct mlx4_dev *dev, int slave, u8 cmd,
if ((slave_state[slave].last_cmd != MLX4_COMM_CMD_VHCR_EN) && if ((slave_state[slave].last_cmd != MLX4_COMM_CMD_VHCR_EN) &&
(slave_state[slave].last_cmd != MLX4_COMM_CMD_VHCR_POST)) (slave_state[slave].last_cmd != MLX4_COMM_CMD_VHCR_POST))
goto reset_slave; goto reset_slave;
down(&priv->cmd.slave_sem);
mutex_lock(&priv->cmd.slave_cmd_mutex);
if (mlx4_master_process_vhcr(dev, slave, NULL)) { if (mlx4_master_process_vhcr(dev, slave, NULL)) {
mlx4_err(dev, "Failed processing vhcr for slave:%d," mlx4_err(dev, "Failed processing vhcr for slave:%d,"
" resetting slave.\n", slave); " resetting slave.\n", slave);
up(&priv->cmd.slave_sem); mutex_unlock(&priv->cmd.slave_cmd_mutex);
goto reset_slave; goto reset_slave;
} }
up(&priv->cmd.slave_sem); mutex_unlock(&priv->cmd.slave_cmd_mutex);
break; break;
default: default:
mlx4_warn(dev, "Bad comm cmd:%d from slave:%d\n", cmd, slave); mlx4_warn(dev, "Bad comm cmd:%d from slave:%d\n", cmd, slave);
...@@ -1707,14 +1711,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) ...@@ -1707,14 +1711,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
struct mlx4_slave_state *s_state; struct mlx4_slave_state *s_state;
int i, j, err, port; int i, j, err, port;
priv->mfunc.vhcr = dma_alloc_coherent(&(dev->pdev->dev), PAGE_SIZE,
&priv->mfunc.vhcr_dma,
GFP_KERNEL);
if (!priv->mfunc.vhcr) {
mlx4_err(dev, "Couldn't allocate vhcr.\n");
return -ENOMEM;
}
if (mlx4_is_master(dev)) if (mlx4_is_master(dev))
priv->mfunc.comm = priv->mfunc.comm =
ioremap(pci_resource_start(dev->pdev, priv->fw.comm_bar) + ioremap(pci_resource_start(dev->pdev, priv->fw.comm_bar) +
...@@ -1777,7 +1773,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) ...@@ -1777,7 +1773,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
if (mlx4_init_resource_tracker(dev)) if (mlx4_init_resource_tracker(dev))
goto err_thread; goto err_thread;
sema_init(&priv->cmd.slave_sem, 1);
err = mlx4_ARM_COMM_CHANNEL(dev); err = mlx4_ARM_COMM_CHANNEL(dev);
if (err) { if (err) {
mlx4_err(dev, " Failed to arm comm channel eq: %x\n", mlx4_err(dev, " Failed to arm comm channel eq: %x\n",
...@@ -1791,8 +1786,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev) ...@@ -1791,8 +1786,6 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
mlx4_err(dev, "Couldn't sync toggles\n"); mlx4_err(dev, "Couldn't sync toggles\n");
goto err_comm; goto err_comm;
} }
sema_init(&priv->cmd.slave_sem, 1);
} }
return 0; return 0;
...@@ -1822,6 +1815,7 @@ int mlx4_cmd_init(struct mlx4_dev *dev) ...@@ -1822,6 +1815,7 @@ int mlx4_cmd_init(struct mlx4_dev *dev)
struct mlx4_priv *priv = mlx4_priv(dev); struct mlx4_priv *priv = mlx4_priv(dev);
mutex_init(&priv->cmd.hcr_mutex); mutex_init(&priv->cmd.hcr_mutex);
mutex_init(&priv->cmd.slave_cmd_mutex);
sema_init(&priv->cmd.poll_sem, 1); sema_init(&priv->cmd.poll_sem, 1);
priv->cmd.use_events = 0; priv->cmd.use_events = 0;
priv->cmd.toggle = 1; priv->cmd.toggle = 1;
...@@ -1838,14 +1832,30 @@ int mlx4_cmd_init(struct mlx4_dev *dev) ...@@ -1838,14 +1832,30 @@ int mlx4_cmd_init(struct mlx4_dev *dev)
} }
} }
if (mlx4_is_mfunc(dev)) {
priv->mfunc.vhcr = dma_alloc_coherent(&(dev->pdev->dev), PAGE_SIZE,
&priv->mfunc.vhcr_dma,
GFP_KERNEL);
if (!priv->mfunc.vhcr) {
mlx4_err(dev, "Couldn't allocate VHCR.\n");
goto err_hcr;
}
}
priv->cmd.pool = pci_pool_create("mlx4_cmd", dev->pdev, priv->cmd.pool = pci_pool_create("mlx4_cmd", dev->pdev,
MLX4_MAILBOX_SIZE, MLX4_MAILBOX_SIZE,
MLX4_MAILBOX_SIZE, 0); MLX4_MAILBOX_SIZE, 0);
if (!priv->cmd.pool) if (!priv->cmd.pool)
goto err_hcr; goto err_vhcr;
return 0; return 0;
err_vhcr:
if (mlx4_is_mfunc(dev))
dma_free_coherent(&(dev->pdev->dev), PAGE_SIZE,
priv->mfunc.vhcr, priv->mfunc.vhcr_dma);
priv->mfunc.vhcr = NULL;
err_hcr: err_hcr:
if (!mlx4_is_slave(dev)) if (!mlx4_is_slave(dev))
iounmap(priv->cmd.hcr); iounmap(priv->cmd.hcr);
...@@ -1868,9 +1878,6 @@ void mlx4_multi_func_cleanup(struct mlx4_dev *dev) ...@@ -1868,9 +1878,6 @@ void mlx4_multi_func_cleanup(struct mlx4_dev *dev)
} }
iounmap(priv->mfunc.comm); iounmap(priv->mfunc.comm);
dma_free_coherent(&(dev->pdev->dev), PAGE_SIZE,
priv->mfunc.vhcr, priv->mfunc.vhcr_dma);
priv->mfunc.vhcr = NULL;
} }
void mlx4_cmd_cleanup(struct mlx4_dev *dev) void mlx4_cmd_cleanup(struct mlx4_dev *dev)
...@@ -1881,6 +1888,10 @@ void mlx4_cmd_cleanup(struct mlx4_dev *dev) ...@@ -1881,6 +1888,10 @@ void mlx4_cmd_cleanup(struct mlx4_dev *dev)
if (!mlx4_is_slave(dev)) if (!mlx4_is_slave(dev))
iounmap(priv->cmd.hcr); iounmap(priv->cmd.hcr);
if (mlx4_is_mfunc(dev))
dma_free_coherent(&(dev->pdev->dev), PAGE_SIZE,
priv->mfunc.vhcr, priv->mfunc.vhcr_dma);
priv->mfunc.vhcr = NULL;
} }
/* /*
......
...@@ -1159,10 +1159,10 @@ static void mlx4_slave_exit(struct mlx4_dev *dev) ...@@ -1159,10 +1159,10 @@ static void mlx4_slave_exit(struct mlx4_dev *dev)
{ {
struct mlx4_priv *priv = mlx4_priv(dev); struct mlx4_priv *priv = mlx4_priv(dev);
down(&priv->cmd.slave_sem); mutex_lock(&priv->cmd.slave_cmd_mutex);
if (mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0, MLX4_COMM_TIME)) if (mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0, MLX4_COMM_TIME))
mlx4_warn(dev, "Failed to close slave function.\n"); mlx4_warn(dev, "Failed to close slave function.\n");
up(&priv->cmd.slave_sem); mutex_unlock(&priv->cmd.slave_cmd_mutex);
} }
static int map_bf_area(struct mlx4_dev *dev) static int map_bf_area(struct mlx4_dev *dev)
...@@ -1214,7 +1214,7 @@ static int mlx4_init_slave(struct mlx4_dev *dev) ...@@ -1214,7 +1214,7 @@ static int mlx4_init_slave(struct mlx4_dev *dev)
u32 slave_read; u32 slave_read;
u32 cmd_channel_ver; u32 cmd_channel_ver;
down(&priv->cmd.slave_sem); mutex_lock(&priv->cmd.slave_cmd_mutex);
priv->cmd.max_cmds = 1; priv->cmd.max_cmds = 1;
mlx4_warn(dev, "Sending reset\n"); mlx4_warn(dev, "Sending reset\n");
ret_from_reset = mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0, ret_from_reset = mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0,
...@@ -1263,12 +1263,13 @@ static int mlx4_init_slave(struct mlx4_dev *dev) ...@@ -1263,12 +1263,13 @@ static int mlx4_init_slave(struct mlx4_dev *dev)
goto err; goto err;
if (mlx4_comm_cmd(dev, MLX4_COMM_CMD_VHCR_EN, dma, MLX4_COMM_TIME)) if (mlx4_comm_cmd(dev, MLX4_COMM_CMD_VHCR_EN, dma, MLX4_COMM_TIME))
goto err; goto err;
up(&priv->cmd.slave_sem);
mutex_unlock(&priv->cmd.slave_cmd_mutex);
return 0; return 0;
err: err:
mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0, 0); mlx4_comm_cmd(dev, MLX4_COMM_CMD_RESET, 0, 0);
up(&priv->cmd.slave_sem); mutex_unlock(&priv->cmd.slave_cmd_mutex);
return -EIO; return -EIO;
} }
......
...@@ -513,9 +513,9 @@ struct mlx4_cmd { ...@@ -513,9 +513,9 @@ struct mlx4_cmd {
struct pci_pool *pool; struct pci_pool *pool;
void __iomem *hcr; void __iomem *hcr;
struct mutex hcr_mutex; struct mutex hcr_mutex;
struct mutex slave_cmd_mutex;
struct semaphore poll_sem; struct semaphore poll_sem;
struct semaphore event_sem; struct semaphore event_sem;
struct semaphore slave_sem;
int max_cmds; int max_cmds;
spinlock_t context_lock; spinlock_t context_lock;
int free_head; int free_head;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment