Commit d412c31d authored by Alex Vesker's avatar Alex Vesker Committed by Saeed Mahameed

net/mlx5: Fix command interface race in polling mode

The command interface can work in two modes: Events and Polling.
In the general case, each time we invoke a command, a work is
queued to handle it.

When working in events, the interrupt handler completes the
command execution. On the other hand, when working in polling
mode, the work itself completes it.

Due to a bug in the work handler, a command could have been
completed by the interrupt handler, while the work handler
hasn't finished yet, causing the it to complete once again
if the command interface mode was changed from Events to
polling after the interrupt handler was called.

mlx5_unload_one()
        mlx5_stop_eqs()
                // Destroy the EQ before cmd EQ
                ...cmd_work_handler()
                        write_doorbell()
                        --> EVENT_TYPE_CMD
                                mlx5_cmd_comp_handler() // First free
                                        free_ent(cmd, ent->idx)
                                        complete(&ent->done)

        <-- mlx5_stop_eqs //cmd was complete
                // move to polling before destroying the last cmd EQ
                mlx5_cmd_use_polling()
                        cmd->mode = POLL;

                --> cmd_work_handler (continues)
                        if (cmd->mode == POLL)
                                mlx5_cmd_comp_handler() // Double free

The solution is to store the cmd->mode before writing the doorbell.

Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: default avatarAlex Vesker <valex@mellanox.com>
Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
parent 603b7bcf
...@@ -807,6 +807,7 @@ static void cmd_work_handler(struct work_struct *work) ...@@ -807,6 +807,7 @@ static void cmd_work_handler(struct work_struct *work)
unsigned long flags; unsigned long flags;
bool poll_cmd = ent->polling; bool poll_cmd = ent->polling;
int alloc_ret; int alloc_ret;
int cmd_mode;
sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
down(sem); down(sem);
...@@ -853,6 +854,7 @@ static void cmd_work_handler(struct work_struct *work) ...@@ -853,6 +854,7 @@ static void cmd_work_handler(struct work_struct *work)
set_signature(ent, !cmd->checksum_disabled); set_signature(ent, !cmd->checksum_disabled);
dump_command(dev, ent, 1); dump_command(dev, ent, 1);
ent->ts1 = ktime_get_ns(); ent->ts1 = ktime_get_ns();
cmd_mode = cmd->mode;
if (ent->callback) if (ent->callback)
schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
...@@ -877,7 +879,7 @@ static void cmd_work_handler(struct work_struct *work) ...@@ -877,7 +879,7 @@ static void cmd_work_handler(struct work_struct *work)
iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell); iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell);
mmiowb(); mmiowb();
/* if not in polling don't use ent after this point */ /* if not in polling don't use ent after this point */
if (cmd->mode == CMD_MODE_POLLING || poll_cmd) { if (cmd_mode == CMD_MODE_POLLING || poll_cmd) {
poll_timeout(ent); poll_timeout(ent);
/* make sure we read the descriptor after ownership is SW */ /* make sure we read the descriptor after ownership is SW */
rmb(); rmb();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment