1. 06 Mar, 2018 5 commits
    • Mustafa Ismail's avatar
      i40iw: Refactor handling of txpend list · 6b0c549f
      Mustafa Ismail authored
      Currently the TX pending lists for IEQ and ILQ are
      handled separately. The handling of both can be
      consolidated in i40iw_poll_completion.
      Signed-off-by: default avatarMustafa Ismail <mustafa.ismail@intel.com>
      Signed-off-by: default avatarShiraz Saleem <shiraz.saleem@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      6b0c549f
    • Bart Van Assche's avatar
      IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() · 2a78cb4d
      Bart Van Assche authored
      Avoid triggering an out-of-bounds stack access by changing the type
      of 'wr' from ib_send_wr into ib_rdma_wr.
      
      This patch fixes the following KASAN bug report:
      
      BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x7a9/0x9a0 [rdma_rxe]
      Read of size 8 at addr ffff880068197a48 by task kworker/2:1/44
      
      Workqueue: ib_cm cm_work_handler [ib_cm]
      Call Trace:
       dump_stack+0x8e/0xcd
       print_address_description+0x6f/0x280
       kasan_report+0x25a/0x380
       __asan_load8+0x54/0x90
       rxe_post_send+0x7a9/0x9a0 [rdma_rxe]
       srpt_zerolength_write+0xf0/0x180 [ib_srpt]
       srpt_cm_rtu_recv+0x68/0x110 [ib_srpt]
       srpt_rdma_cm_handler+0xbb/0x15b [ib_srpt]
       cma_ib_handler+0x1aa/0x4a0 [rdma_cm]
       cm_process_work+0x30/0x100 [ib_cm]
       cm_work_handler+0xa86/0x351b [ib_cm]
       process_one_work+0x475/0x9f0
       worker_thread+0x69/0x690
       kthread+0x1ad/0x1d0
       ret_from_fork+0x3a/0x50
      
      Fixes: aaf45bd8 ("IB/srpt: Detect session shutdown reliably")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      2a78cb4d
    • Bart Van Assche's avatar
      RDMA/rxe: Fix an out-of-bounds read · a6544a62
      Bart Van Assche authored
      This patch avoids that KASAN reports the following when the SRP initiator
      calls srp_post_send():
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x5c4/0x980 [rdma_rxe]
      Read of size 8 at addr ffff880066606e30 by task 02-mq/1074
      
      CPU: 2 PID: 1074 Comm: 02-mq Not tainted 4.16.0-rc3-dbg+ #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
      dump_stack+0x85/0xc7
      print_address_description+0x65/0x270
      kasan_report+0x231/0x350
      rxe_post_send+0x5c4/0x980 [rdma_rxe]
      srp_post_send.isra.16+0x149/0x190 [ib_srp]
      srp_queuecommand+0x94d/0x1670 [ib_srp]
      scsi_dispatch_cmd+0x1c2/0x550 [scsi_mod]
      scsi_queue_rq+0x843/0xa70 [scsi_mod]
      blk_mq_dispatch_rq_list+0x143/0xac0
      blk_mq_do_dispatch_ctx+0x1c5/0x260
      blk_mq_sched_dispatch_requests+0x2bf/0x2f0
      __blk_mq_run_hw_queue+0xdb/0x160
      __blk_mq_delay_run_hw_queue+0xba/0x100
      blk_mq_run_hw_queue+0xf2/0x190
      blk_mq_sched_insert_request+0x163/0x2f0
      blk_execute_rq+0xb0/0x130
      scsi_execute+0x14e/0x260 [scsi_mod]
      scsi_probe_and_add_lun+0x366/0x13d0 [scsi_mod]
      __scsi_scan_target+0x18a/0x810 [scsi_mod]
      scsi_scan_target+0x11e/0x130 [scsi_mod]
      srp_create_target+0x1522/0x19e0 [ib_srp]
      kernfs_fop_write+0x180/0x210
      __vfs_write+0xb1/0x2e0
      vfs_write+0xf6/0x250
      SyS_write+0x99/0x110
      do_syscall_64+0xee/0x2b0
      entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      The buggy address belongs to the page:
      page:ffffea0001998180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x4000000000000000()
      raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff880066606d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
      ffff880066606d80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2
      >ffff880066606e00: f2 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00
                                          ^
      ffff880066606e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ffff880066606f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      
      Fixes: 8700e3e7 ("Soft RoCE driver")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Moni Shoua <monis@mellanox.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a6544a62
    • Bart Van Assche's avatar
      RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access · a1ae7d03
      Bart Van Assche authored
      This patch fixes the following KASAN complaint:
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x77d/0x9b0 [rdma_rxe]
      Read of size 8 at addr ffff880061aef860 by task 01/1080
      
      CPU: 2 PID: 1080 Comm: 01 Not tainted 4.16.0-rc3-dbg+ #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
      dump_stack+0x85/0xc7
      print_address_description+0x65/0x270
      kasan_report+0x231/0x350
      rxe_post_send+0x77d/0x9b0 [rdma_rxe]
      __ib_drain_sq+0x1ad/0x250 [ib_core]
      ib_drain_qp+0x9/0x30 [ib_core]
      srp_destroy_qp+0x51/0x70 [ib_srp]
      srp_free_ch_ib+0xfc/0x380 [ib_srp]
      srp_create_target+0x1071/0x19e0 [ib_srp]
      kernfs_fop_write+0x180/0x210
      __vfs_write+0xb1/0x2e0
      vfs_write+0xf6/0x250
      SyS_write+0x99/0x110
      do_syscall_64+0xee/0x2b0
      entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      The buggy address belongs to the page:
      page:ffffea000186bbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x4000000000000000()
      raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea000186bbe0 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff880061aef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ffff880061aef780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
      >ffff880061aef800: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2
                                                            ^
      ffff880061aef880: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f2 f2
      ffff880061aef900: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      
      Fixes: 765d6774 ("IB: new common API for draining queues")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Steve Wise <swise@opengridcomputing.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a1ae7d03
    • Colin Ian King's avatar
      infiniband: remove redundant assignment to pointer 'rdi' · 042932f7
      Colin Ian King authored
      The pointer rdi is being initialized with a value that is never read
      and re-assigned immediately after, hence the initialization is redundant
      and can be removed.
      
      Cleans up clang warning:
      drivers/infiniband/sw/rdmavt/vt.c:94:23: warning: Value stored to 'rdi'
      during its initialization is never read
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      042932f7
  2. 28 Feb, 2018 14 commits
  3. 23 Feb, 2018 21 commits