1. 09 Jul, 2018 16 commits
  2. 04 Jul, 2018 19 commits
  3. 03 Jul, 2018 5 commits
    • Neil Horman's avatar
      vmw_pvrdma: Release netdev when vmxnet3 module is removed · 11e40f5c
      Neil Horman authored
      On repeated module load/unload cycles, its possible for the pvrmda driver
      to encounter this crash:
      
      ...
      [  297.032448] RIP: 0010:[<ffffffff839e4620>]  [<ffffffff839e4620>] netdev_walk_all_upper_dev_rcu+0x50/0xb0
      [  297.034078] RSP: 0018:ffff95087780bd08  EFLAGS: 00010286
      [  297.034986] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff95087a0c0000
      [  297.036196] RDX: ffff95087a0c0000 RSI: ffffffff839e44e0 RDI: ffff950835d0c000
      [  297.037421] RBP: ffff95087780bd40 R08: ffff95087a0e0ea0 R09: abddacd03f8e0ea0
      [  297.038636] R10: abddacd03f8e0ea0 R11: ffffef5901e9dbc0 R12: ffff95087a0c0000
      [  297.039854] R13: ffffffff839e44e0 R14: ffff95087a0c0000 R15: ffff950835d0c828
      [  297.041071] FS:  0000000000000000(0000) GS:ffff95087fc00000(0000) knlGS:0000000000000000
      [  297.042443] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  297.043429] CR2: ffffffffffffffe8 CR3: 000000007a652000 CR4: 00000000003607f0
      [  297.044674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  297.045893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  297.047109] Call Trace:
      [  297.047545]  [<ffffffff839e4698>] netdev_has_upper_dev_all_rcu+0x18/0x20
      [  297.048691]  [<ffffffffc05d31af>] is_eth_port_of_netdev+0x2f/0xa0 [ib_core]
      [  297.049886]  [<ffffffffc05d3180>] ? is_eth_active_slave_of_bonding_rcu+0x70/0x70 [ib_core]
      ...
      
      This occurs because vmw_pvrdma on probe stores a pointer to the netdev
      that exists on function 0 of the same bus/device/slot (which represents
      the vmxnet3 ethernet driver).  However, it never removes this pointer if
      the vmxnet3 module is removed, leading to crashes resulting from use after
      free dereferencing incidents like the one above.
      
      The fix is pretty straightforward.  vmw_pvrdma should listen for
      NETDEV_REGISTER and NETDEV_UNREGISTER events in its event listener code
      block, and update the stored netdev pointer accordingly.  This solution
      has been tested by myself and the reporter with successful results.  This
      fix also allows the pvrdma driver to find its underlying ethernet device
      in the event that vmxnet3 is loaded after pvrdma, which it was not able to
      do before.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: ruquin@redhat.com
      Tested-by: default avatarAdit Ranadive <aditr@vmware.com>
      Acked-by: default avatarAdit Ranadive <aditr@vmware.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      11e40f5c
    • Maor Gottlieb's avatar
      IB/mlx5: Fix GRE flow specification · a93b632c
      Maor Gottlieb authored
      Currently the driver sets the mask of the gre_protocol to 0xffff
      without consideration in the user request.
      
      Fix it by copy the mask from the verbs spec.
      
      Fixes: da2f22ae ("IB/mlx5: Add support for GRE flow specification")
      Signed-off-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Reviewed-by: default avatarAriel Levkovich <lariel@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a93b632c
    • Michael J. Ruhl's avatar
      IB/hfi1: Remove incorrect call to do_interrupt callback · e3091644
      Michael J. Ruhl authored
      The general interrupt handler is_rcv_avail_int() has two paths,
      do_interrupt() (callback) and handle_user_interrupt().  The
      do_interrupt() callback is for the threaded receive handling.
      is_rcv_avail_int() cannot handle threaded IRQs.
      
      If the do_interrupt() path is taken, and the IRQ returns
      IRQ_WAKE_THREAD, the IRQ behavior will be indeterminate.
      
      Remove incorrect call to do_interrupt() from is_rcv_avail_int(),
      leaving the un-threaded (handle_user_interrupt()) path.
      
      Fixes: f4f30031 ("staging/rdma/hfi1: Thread the receive interrupt.")
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarKamenee Arumugam <kamenee.arumugam@intel.com>
      Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e3091644
    • Michael J. Ruhl's avatar
      IB/hfi1: Set in_use_ctxts bits for user ctxts only · d108c60d
      Michael J. Ruhl authored
      The in_use_ctxts bitmask is for user receive contexts only.  Setting it for
      any other type of receive context is incorrect.
      
      Move initial set of in_use_ctxts bits from the general context init to the
      user context specific init. Having this bit set can allow contexts to be
      incorrectly identified by some IRQ handlers. This will allow
      handle_user_interrupt() will now filter user contexts correctly.
      
      Clean up redundant is_rcv_urgent_int() user context check.
      
      A follow on patch will clean up an incorrect code path in the
      is_rcv_avail_int().
      
      Fixes: 8737ce95 ("IB/hfi1: Fix an assign/ordering issue with shared context IDs")
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarKamenee Arumugam <kamenee.arumugam@intel.com>
      Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      d108c60d
    • Bart Van Assche's avatar
      ib_srpt: Fix a use-after-free in __srpt_close_all_ch() · 14d15c2b
      Bart Van Assche authored
      BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
      Read of size 4 at addr ffff8801269d23f8 by task check/29726
      
      CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0xa4/0xf5
       print_address_description+0x6f/0x270
       kasan_report+0x241/0x360
       __asan_load4+0x78/0x80
       srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
       srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
       configfs_write_file+0x14e/0x1d0 [configfs]
       __vfs_write+0xd2/0x3b0
       vfs_write+0x101/0x270
       ksys_write+0xab/0x120
       __x64_sys_write+0x43/0x50
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f235cfe6154
      
      Fixes: aaf45bd8 ("IB/srpt: Detect session shutdown reliably")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      14d15c2b