lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20130509222801.054832857@linuxfoundation.org>
Date:	Thu,  9 May 2013 15:31:51 -0700
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	linux-kernel@...r.kernel.org
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	stable@...r.kernel.org,
	Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com>,
	Emil Goode <emilgoode@...il.com>,
	Steve Wise <swise@...ngridcomputing.com>,
	Roland Dreier <roland@...estorage.com>
Subject: [ 28/73] RDMA/cxgb4: Fix SQ allocation when on-chip SQ is disabled

3.8-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com>

commit 5b0c275926b8149c555da874bb4ec258ea3292aa upstream.

Commit c079c28714e4 ("RDMA/cxgb4: Fix error handling in create_qp()")
broke SQ allocation.  Instead of falling back to host allocation when
on-chip allocation fails, it tries to allocate both.  And when it
does, and we try to free the address from the genpool using the host
address, we hit a BUG and the system crashes as below.

We create a new function that has the previous behavior and properly
propagate the error, as intended.

    kernel BUG at /usr/src/packages/BUILD/kernel-ppc64-3.0.68/linux-3.0/lib/genalloc.c:340!
    Oops: Exception in kernel mode, sig: 5 [#1]
    SMP NR_CPUS=1024 NUMA pSeries
    Modules linked in: rdma_ucm rdma_cm ib_addr ib_cm iw_cm ib_sa ib_mad ib_uverbs iw_cxgb4 ib_core ip6t_LOG xt_tcpudp xt_pkttype ipt_LOG xt_limit ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_raw xt_NOTRACK ipt_REJECT xt_state iptable_raw iptable_filter ip6table_mangle nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables ip6table_filter ip6_tables x_tables fuse loop dm_mod ipv6 ipv6_lib sr_mod cdrom ibmveth(X) cxgb4 sg ext3 jbd mbcache sd_mod crc_t10dif scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh_rdac scsi_dh ibmvscsic(X) scsi_transport_srp scsi_tgt scsi_mod
    Supported: Yes
    NIP: c00000000037d41c LR: d000000003913824 CTR: c00000000037d3b0
    REGS: c0000001f350ae50 TRAP: 0700   Tainted: G            X  (3.0.68-0.9-ppc64)
    MSR: 8000000000029032 <EE,ME,CE,IR,DR>  CR: 24042482  XER: 00000001
    TASK = c0000001f6f2a840[3616] 'rping' THREAD: c0000001f3508000 CPU: 0
    GPR00: c0000001f6e875c8 c0000001f350b0d0 c000000000fc9690 c0000001f6e875c0
    GPR04: 00000000000c0000 0000000000010000 0000000000000000 c0000000009d482a
    GPR08: 000000006a170000 0000000000100000 c0000001f350b140 c0000001f6e875c8
    GPR12: d000000003915dd0 c000000003f40000 000000003e3ecfa8 c0000001f350bea0
    GPR16: c0000001f350bcd0 00000000003c0000 0000000000040100 c0000001f6e74a80
    GPR20: d00000000399a898 c0000001f6e74ac8 c0000001fad91600 c0000001f6e74ab0
    GPR24: c0000001f7d23f80 0000000000000000 0000000000000002 000000006a170000
    GPR28: 000000000000000c c0000001f584c8d0 d000000003925180 c0000001f6e875c8
    NIP [c00000000037d41c] .gen_pool_free+0x6c/0xf8
    LR [d000000003913824] .c4iw_ocqp_pool_free+0x8c/0xd8 [iw_cxgb4]
    Call Trace:
    [c0000001f350b0d0] [c0000001f350b180] 0xc0000001f350b180 (unreliable)
    [c0000001f350b170] [d000000003913824] .c4iw_ocqp_pool_free+0x8c/0xd8 [iw_cxgb4]
    [c0000001f350b210] [d00000000390fd70] .dealloc_sq+0x90/0xb0 [iw_cxgb4]
    [c0000001f350b280] [d00000000390fe08] .destroy_qp+0x78/0xf8 [iw_cxgb4]
    [c0000001f350b310] [d000000003912738] .c4iw_destroy_qp+0x208/0x2d0 [iw_cxgb4]
    [c0000001f350b460] [d000000003861874] .ib_destroy_qp+0x5c/0x130 [ib_core]
    [c0000001f350b510] [d0000000039911bc] .ib_uverbs_cleanup_ucontext+0x174/0x4f8 [ib_uverbs]
    [c0000001f350b5f0] [d000000003991568] .ib_uverbs_close+0x28/0x70 [ib_uverbs]
    [c0000001f350b670] [c0000000001e7b2c] .__fput+0xdc/0x278
    [c0000001f350b720] [c0000000001a9590] .remove_vma+0x68/0xd8
    [c0000001f350b7b0] [c0000000001a9720] .exit_mmap+0x120/0x160
    [c0000001f350b8d0] [c0000000000af330] .mmput+0x80/0x160
    [c0000001f350b960] [c0000000000b5d0c] .exit_mm+0x1ac/0x1e8
    [c0000001f350ba10] [c0000000000b8154] .do_exit+0x1b4/0x4b8
    [c0000001f350bad0] [c0000000000b84b0] .do_group_exit+0x58/0xf8
    [c0000001f350bb60] [c0000000000ce9f4] .get_signal_to_deliver+0x2f4/0x5d0
    [c0000001f350bc60] [c000000000017ee4] .do_signal_pending+0x6c/0x3e0
    [c0000001f350bdb0] [c0000000000182cc] .do_signal+0x74/0x78
    [c0000001f350be30] [c000000000009e74] do_work+0x24/0x28

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...ux.vnet.ibm.com>
Cc: Emil Goode <emilgoode@...il.com>
Acked-by: Steve Wise <swise@...ngridcomputing.com>
Signed-off-by: Roland Dreier <roland@...estorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

---
 drivers/infiniband/hw/cxgb4/qp.c |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/drivers/infiniband/hw/cxgb4/qp.c
+++ b/drivers/infiniband/hw/cxgb4/qp.c
@@ -100,6 +100,16 @@ static int alloc_host_sq(struct c4iw_rde
 	return 0;
 }
 
+static int alloc_sq(struct c4iw_rdev *rdev, struct t4_sq *sq, int user)
+{
+	int ret = -ENOSYS;
+	if (user)
+		ret = alloc_oc_sq(rdev, sq);
+	if (ret)
+		ret = alloc_host_sq(rdev, sq);
+	return ret;
+}
+
 static int destroy_qp(struct c4iw_rdev *rdev, struct t4_wq *wq,
 		      struct c4iw_dev_ucontext *uctx)
 {
@@ -168,18 +178,9 @@ static int create_qp(struct c4iw_rdev *r
 		goto free_sw_rq;
 	}
 
-	if (user) {
-		ret = alloc_oc_sq(rdev, &wq->sq);
-		if (ret)
-			goto free_hwaddr;
-
-		ret = alloc_host_sq(rdev, &wq->sq);
-		if (ret)
-			goto free_sq;
-	} else
-		ret = alloc_host_sq(rdev, &wq->sq);
-		if (ret)
-			goto free_hwaddr;
+	ret = alloc_sq(rdev, &wq->sq, user);
+	if (ret)
+		goto free_hwaddr;
 	memset(wq->sq.queue, 0, wq->sq.memsize);
 	dma_unmap_addr_set(&wq->sq, mapping, wq->sq.dma_addr);
 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ