1. 08 Aug, 2018 3 commits
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq · 0dfe4522
      Leon Romanovsky authored
      [   61.182439] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:5366:34
      [   61.183673] shift exponent 4294967288 is too large for 32-bit type 'unsigned int'
      [   61.185530] CPU: 0 PID: 639 Comm: qp Not tainted 4.18.0-rc1-00037-g4aa1d69a9c60-dirty #96
      [   61.186981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
      [   61.188315] Call Trace:
      [   61.188661]  dump_stack+0xc7/0x13b
      [   61.190427]  ubsan_epilogue+0x9/0x49
      [   61.190899]  __ubsan_handle_shift_out_of_bounds+0x1ea/0x22f
      [   61.197040]  mlx5_ib_create_wq+0x1c99/0x1d50
      [   61.206632]  ib_uverbs_ex_create_wq+0x499/0x820
      [   61.213892]  ib_uverbs_write+0x77e/0xae0
      [   61.248018]  vfs_write+0x121/0x3b0
      [   61.249831]  ksys_write+0xa1/0x120
      [   61.254024]  do_syscall_64+0x7c/0x2a0
      [   61.256178]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   61.259211] RIP: 0033:0x7f54bab70e99
      [   61.262125] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89
      [   61.268678] RSP: 002b:00007ffe1541c318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [   61.271076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f54bab70e99
      [   61.273795] RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003
      [   61.276982] RBP: 00007ffe1541c330 R08: 00000000200078e0 R09: 0000000000000002
      [   61.280035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004005c0
      [   61.283279] R13: 00007ffe1541c420 R14: 0000000000000000 R15: 0000000000000000
      
      Cc: <stable@vger.kernel.org> # 4.7
      Fixes: 79b20a6c ("IB/mlx5: Add receive Work Queue verbs")
      Cc: syzkaller <syzkaller@googlegroups.com>
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0dfe4522
    • Kees Cook's avatar
      test_overflow: Add shift overflow tests · d36b6ad2
      Kees Cook authored
      This adds overflow tests for the new check_shift_overflow() helper to
      validate overflow, signedness glitches, storage glitches, etc.
      Co-developed-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      d36b6ad2
    • Jason Gunthorpe's avatar
      overflow.h: Add arithmetic shift helper · 0c668477
      Jason Gunthorpe authored
      Add shift_overflow() helper to assist driver authors in ensuring that
      shift operations don't cause overflows or other odd conditions.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      [kees: tweaked comments and commit log, dropped unneeded assignment]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      0c668477
  2. 07 Aug, 2018 1 commit
  3. 03 Aug, 2018 13 commits
  4. 01 Aug, 2018 12 commits
    • Denis Drozdov's avatar
      IB/IPoIB: Set ah valid flag in multicast send flow · 75da9606
      Denis Drozdov authored
      The change of ipoib_ah data structure with adding "valid" flag and
      checks of ah->valid in ipoib_start_xmit affected multicast packet flow.
      
      Since the multicast flow doesn't invoke path_rec_start, "ah->valid" flag
      remains unset, so that ipoib_start_xmit end up with neigh_refresh_path
      instead of sending the packet using neigh.
      
      "ah->valid" has to be set in multicast send flow. As a result IPoIB
      starts sending packets via neigh immediately and eliminates 60sec delay
      of neigh keep alive interval.
      
      The typical example of this issue are two sequential arpings:
      
      arping 11.134.208.9 -> got response (mcast_send)
      arping 11.134.208.9 -> no response  (ah->valid = 0)
      
      Fixes: fa9391db ("RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events")
      Signed-off-by: default avatarDenis Drozdov <denisd@mellanox.com>
      Reviewed-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      75da9606
    • Jason Gunthorpe's avatar
      IB/uverbs: Allow all DESTROY commands to succeed after disassociate · 0f50d88a
      Jason Gunthorpe authored
      The disassociate function was broken by design because it failed all
      commands. This prevents userspace from calling destroy on a uobject after
      it has detected a device fatal error and thus reclaiming the resources in
      userspace is prevented.
      
      This fix is now straightforward, when anything destroys a uobject that is
      not the user the object remains on the IDR with a NULL context and object
      pointer. All lookup locking modes other than DESTROY will fail. When the
      user ultimately calls the destroy function it is simply dropped from the
      IDR while any related information is returned.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0f50d88a
    • Jason Gunthorpe's avatar
      IB/uverbs: Do not block disassociate during write() · a9b66d64
      Jason Gunthorpe authored
      Now that all the callbacks are safe to run concurrently with
      disassociation this test can be eliminated. The ufile core infrastructure
      becomes entirely self contained and is not sensitive to disassociation.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a9b66d64
    • Jason Gunthorpe's avatar
      IB/uverbs: Do not pass struct ib_device to the ioctl methods · e83f0ecd
      Jason Gunthorpe authored
      This does the same as the patch before, except for ioctl. The rules are
      the same, but for the ioctl methods the core code handles setting up the
      uobject.
      
      - Retrieve the ib_dev from the uobject->context->device. This is
        safe under ioctl as the core has already done rdma_alloc_begin_uobject
        and so CREATE calls are entirely protected by the rwsem.
      - Retrieve the ib_dev from uobject->object
      - Call ib_uverbs_get_ucontext()
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e83f0ecd
    • Jason Gunthorpe's avatar
      IB/uverbs: Do not pass struct ib_device to the write based methods · bbd51e88
      Jason Gunthorpe authored
      This is a step to get rid of the global check for disassociation. In this
      model, the ib_dev is not proven to be valid by the core code and cannot be
      provided to the method. Instead, every method decides if it is able to
      run after disassociation and obtains the ib_dev using one of three
      different approaches:
      
      - Call srcu_dereference on the udevice's ib_dev. As before, this means
        the method cannot be called after disassociation begins.
        (eg alloc ucontext)
      - Retrieve the ib_dev from the ucontext, via ib_uverbs_get_ucontext()
      - Retrieve the ib_dev from the uobject->object after checking
        under SRCU if disassociation has started (eg uobj_get)
      
      Largely, the code is all ready for this, the main work is to provide a
      ib_dev after calling uobj_alloc(). The few other places simply use
      ib_uverbs_get_ucontext() to get the ib_dev.
      
      This flexibility will let the next patches allow destroy to operate
      after disassociation.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      bbd51e88
    • Jason Gunthorpe's avatar
      IB/uverbs: Lower the test for ongoing disassociation · cc2e14e6
      Jason Gunthorpe authored
      Commands that are reading/writing to objects can test for an ongoing
      disassociation during their initial call to rdma_lookup_get_uobject.  This
      directly prevents all of these commands from conflicting with an ongoing
      disassociation.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      cc2e14e6
    • Jason Gunthorpe's avatar
      IB/uverbs: Allow uobject allocation to work concurrently with disassociate · 1e857e65
      Jason Gunthorpe authored
      After all the recent structural changes this is now straightforward, hold
      the hw_destroy_rwsem across the entire uobject creation. We already take
      this semaphore on the success path, so holding it a bit longer is not
      going to change the performance.
      
      After this change none of the create callbacks require the
      disassociate_srcu lock to be correct.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      1e857e65
    • Jason Gunthorpe's avatar
      IB/uverbs: Allow RDMA_REMOVE_DESTROY to work concurrently with disassociate · 7452a3c7
      Jason Gunthorpe authored
      After all the recent structural changes this is now straightfoward, hoist
      the hw_destroy_rwsem up out of rdma_destroy_explicit and wrap it around
      the uobject write lock as well as the destroy.
      
      This is necessary as obtaining a write lock concurrently with
      uverbs_destroy_ufile_hw() will cause malfunction.
      
      After this change none of the destroy callbacks require the
      disassociate_srcu lock to be correct.
      
      This requires introducing a new lookup mode, UVERBS_LOOKUP_DESTROY as the
      IOCTL interface needs to hold an unlocked kref until all command
      verification is completed.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      7452a3c7
    • Jason Gunthorpe's avatar
      IB/uverbs: Convert 'bool exclusive' into an enum · 9867f5c6
      Jason Gunthorpe authored
      This is more readable, and future patches will need a 3rd lookup type.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      9867f5c6
    • Jason Gunthorpe's avatar
      IB/uverbs: Consolidate uobject destruction · 87ad80ab
      Jason Gunthorpe authored
      There are several flows that can destroy a uobject and each one is
      minimized and sprinkled throughout the code base, making it difficult to
      understand and very hard to modify the destroy path.
      
      Consolidate all of these into uverbs_destroy_uobject() and call it in all
      cases where a uobject has to be destroyed.
      
      This makes one change to the lifecycle, during any abort (eg when
      alloc_commit is not called) we always call out to alloc_abort, even if
      remove_commit needs to be called to delete a HW object.
      
      This also renames RDMA_REMOVE_DURING_CLEANUP to RDMA_REMOVE_ABORT to
      clarify its actual usage and revises some of the comments to reflect what
      the life cycle is for the type implementation.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      87ad80ab
    • Jason Gunthorpe's avatar
      IB/uverbs: Make the write path destroy methods use the same flow as ioctl · 32ed5c00
      Jason Gunthorpe authored
      The ridiculous dance with uobj_remove_commit() is not needed, the write
      path can follow the same flow as ioctl - lock and destroy the HW object
      then use the data left over in the uobject to form the response to
      userspace.
      
      Two helpers are introduced to make this flow straightforward for the
      caller.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      32ed5c00
    • Jason Gunthorpe's avatar
      IB/uverbs: Remove rdma_explicit_destroy() from the ioctl methods · aa72c9a5
      Jason Gunthorpe authored
      The core code will destroy the HW object on behalf of the method, if the
      method provides an implementation it must simply copy data from the stub
      uobj into the response. Destroy methods cannot touch the HW object.
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      aa72c9a5
  5. 31 Jul, 2018 11 commits