• Steve Wise's avatar
    iw_cxgb4: add referencing to wait objects · 2015f26c
    Steve Wise authored
    For messages sent from the host to fw that solicit a reply from fw,
    the c4iw_wr_wait struct pointer is passed in the host->fw message, and
    included in the fw->host fw6_msg reply.  This allows the sender to wait
    until the reply is received, and the code processing the ingress reply
    to wake up the sender.
    
    If c4iw_wait_for_reply() times out, however, we need to keep the
    c4iw_wr_wait object around in case the reply eventually does arrive.
    Otherwise we have touch-after-free bugs in the wake_up paths.
    
    This was hit due to a bad kernel driver that blocked ingress processing
    of cxgb4 for a long time, causing iw_cxgb4 timeouts, but eventually
    resuming ingress processing and thus hitting the touch-after-free bug.
    
    So I want to fix iw_cxgb4 such that we'll at least keep the wait object
    around until the reply comes.  If it never comes we leak a small amount of
    memory, but if it does come late, we won't potentially crash the system.
    
    So add a kref struct in the c4iw_wr_wait struct, and take a reference
    before sending a message to FW that will generate a FW6 reply.  And remove
    the reference (and potentially free the wait object) when the reply
    is processed.
    
    The ep code also uses the wr_wait for non FW6 CPL messages and doesn't
    embed the c4iw_wr_wait object in the message sent to firmware.  So for
    those cases we add c4iw_wake_up_noref().
    
    The mr/mw, cq, and qp object create/destroy paths do need this reference
    logic.  For these paths, c4iw_ref_send_wait() is introduced to take the
    wr_wait reference, send the msg to fw, and then wait for the reply.
    
    So going forward, iw_cxgb4 either uses c4iw_ofld_send(),
    c4iw_wait_for_reply() and c4iw_wake_up_noref() like is done in the some
    of the endpoint logic, or c4iw_ref_send_wait() and c4iw_wake_up_deref()
    (formerly c4iw_wake_up()) when sending messages with the c4iw_wr_wait
    object pointer embedded in the message and resulting FW6 reply.
    Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
    Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    2015f26c
qp.c 54.7 KB