1. 17 Dec, 2018 1 commit
    • Majd Dibbiny's avatar
      RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR · 454892c3
      Majd Dibbiny authored
      [ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ]
      
      Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the
      current fence will be SMALL instead of Normal Fence.
      
      Without this patch krping doesn't work on CX-5 devices and throws
      following error:
      
      The error messages are from CX5 driver are: (from server side)
      [ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434016] 00000000 00000000 00000000 00000000
      [ 710.434017] 00000000 00000000 00000000 00000000
      [ 710.434018] 00000000 93003204 100000b8 000524d2
      [ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32
      
      Fixed the logic to set the correct fence type.
      
      Fixes: 6e8484c5 ("RDMA/mlx5: set UMR wqe fence according to HCA cap")
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      454892c3
  2. 10 Nov, 2018 1 commit
  3. 30 May, 2018 2 commits
  4. 09 May, 2018 2 commits
    • Danit Goldberg's avatar
      IB/mlx5: Use unlimited rate when static rate is not supported · 7508e14f
      Danit Goldberg authored
      commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
      
      Before the change, if the user passed a static rate value different
      than zero and the FW doesn't support static rate,
      it would end up configuring rate of 2.5 GBps.
      
      Fix this by using rate 0; unlimited, in cases where FW
      doesn't support static rate configuration.
      
      Cc: <stable@vger.kernel.org> # 3.10
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Reviewed-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarDanit Goldberg <danitg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7508e14f
    • Leon Romanovsky's avatar
      RDMA/mlx5: Protect from shift operand overflow · a3fe8107
      Leon Romanovsky authored
      commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
      
      Ensure that user didn't supply values too large that can cause overflow.
      
      UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
      shift exponent -2147483648 is negative
      CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
      Trace:
      dump_stack+0xde/0x164
      ubsan_epilogue+0xe/0x81
      set_rq_size+0x7c2/0xa90
      create_qp_common+0xc18/0x43c0
      mlx5_ib_create_qp+0x379/0x1ca0
      create_qp.isra.5+0xc94/0x2260
      ib_uverbs_create_qp+0x21b/0x2a0
      ib_uverbs_write+0xc2c/0x1010
      vfs_write+0x1b0/0x550
      SyS_write+0xc7/0x1a0
      do_syscall_64+0x1aa/0x740
      entry_SYSCALL_64_after_hwframe+0x26/0x9b
      RIP: 0033:0x433569
      RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
      RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
      RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
      R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
      R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
      
      Cc: <stable@vger.kernel.org> # 3.10
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Cc: syzkaller <syzkaller@googlegroups.com>
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3fe8107
  5. 29 Apr, 2018 1 commit
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs · 9ffa6fb2
      Leon Romanovsky authored
      commit 75a4598209cbe45540baa316c3b51d9db222e96e upstream.
      
      mlx5 modify_qp() relies on FW that the error will be thrown if wrong
      state is supplied. The missing check in FW causes the following crash
      while using XRC_TGT QPs.
      
      [   14.769632] BUG: unable to handle kernel NULL pointer dereference at (null)
      [   14.771085] IP: mlx5_ib_modify_qp+0xf60/0x13f0
      [   14.771894] PGD 800000001472e067 P4D 800000001472e067 PUD 14529067 PMD 0
      [   14.773126] Oops: 0002 [#1] SMP PTI
      [   14.773763] CPU: 0 PID: 365 Comm: ubsan Not tainted 4.16.0-rc1-00038-g8151138c0793 #119
      [   14.775192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      [   14.777522] RIP: 0010:mlx5_ib_modify_qp+0xf60/0x13f0
      [   14.778417] RSP: 0018:ffffbf48001c7bd8 EFLAGS: 00010246
      [   14.779346] RAX: 0000000000000000 RBX: ffff9a8f9447d400 RCX: 0000000000000000
      [   14.780643] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000000
      [   14.781930] RBP: 0000000000000000 R08: 00000000000217b0 R09: ffffffffbc9c1504
      [   14.783214] R10: fffff4a180519480 R11: ffff9a8f94523600 R12: ffff9a8f9493e240
      [   14.784507] R13: ffff9a8f9447d738 R14: 000000000000050a R15: 0000000000000000
      [   14.785800] FS:  00007f545b466700(0000) GS:ffff9a8f9fc00000(0000) knlGS:0000000000000000
      [   14.787073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   14.787792] CR2: 0000000000000000 CR3: 00000000144be000 CR4: 00000000000006b0
      [   14.788689] Call Trace:
      [   14.789007]  _ib_modify_qp+0x71/0x120
      [   14.789475]  modify_qp.isra.20+0x207/0x2f0
      [   14.790010]  ib_uverbs_modify_qp+0x90/0xe0
      [   14.790532]  ib_uverbs_write+0x1d2/0x3c0
      [   14.791049]  ? __handle_mm_fault+0x93c/0xe40
      [   14.791644]  __vfs_write+0x36/0x180
      [   14.792096]  ? handle_mm_fault+0xc1/0x210
      [   14.792601]  vfs_write+0xad/0x1e0
      [   14.793018]  SyS_write+0x52/0xc0
      [   14.793422]  do_syscall_64+0x75/0x180
      [   14.793888]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   14.794527] RIP: 0033:0x7f545ad76099
      [   14.794975] RSP: 002b:00007ffd78787468 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   14.795958] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f545ad76099
      [   14.797075] RDX: 0000000000000078 RSI: 0000000020009000 RDI: 0000000000000003
      [   14.798140] RBP: 00007ffd78787470 R08: 00007ffd78787480 R09: 00007ffd78787480
      [   14.799207] R10: 00007ffd78787480 R11: 0000000000000287 R12: 00005599ada98760
      [   14.800277] R13: 00007ffd78787560 R14: 0000000000000000 R15: 0000000000000000
      [   14.801341] Code: 4c 8b 1c 24 48 8b 83 70 02 00 00 48 c7 83 cc 02 00
      00 00 00 00 00 48 c7 83 24 03 00 00 00 00 00 00 c7 83 2c 03 00 00 00 00
      00 00 <c7> 00 00 00 00 00 48 8b 83 70 02 00 00 c7 40 04 00 00 00 00 4c
      [   14.804012] RIP: mlx5_ib_modify_qp+0xf60/0x13f0 RSP: ffffbf48001c7bd8
      [   14.804838] CR2: 0000000000000000
      [   14.805288] ---[ end trace 3f1da0df5c8b7c37 ]---
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Reported-by: default avatarMaor Gottlieb <maorg@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ffa6fb2
  6. 24 Mar, 2018 1 commit
    • Boris Pismenny's avatar
      IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq · 971e09c7
      Boris Pismenny authored
      commit 2c292dbb398ee46fc1343daf6c3cf9715a75688e upstream.
      
      Add a check for the length of the qpin structure to prevent out-of-bounds reads
      
      BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2
      Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549
      
      CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0x8d/0xd4
       print_address_description+0x73/0x290
       kasan_report+0x25c/0x370
       ? create_raw_packet_qp+0x114c/0x15e2
       memcpy+0x1f/0x50
       create_raw_packet_qp+0x114c/0x15e2
       ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d
       ? lock_acquire+0x370/0x370
       create_qp_common+0x2245/0x3b50
       ? destroy_qp_user.isra.47+0x100/0x100
       ? kasan_kmalloc+0x13d/0x170
       ? sched_clock_cpu+0x18/0x180
       ? fs_reclaim_acquire.part.15+0x5/0x30
       ? __lock_acquire+0xa11/0x1da0
       ? sched_clock_cpu+0x18/0x180
       ? kmem_cache_alloc_trace+0x17e/0x310
       ? mlx5_ib_create_qp+0x30e/0x17b0
       mlx5_ib_create_qp+0x33d/0x17b0
       ? sched_clock_cpu+0x18/0x180
       ? create_qp_common+0x3b50/0x3b50
       ? lock_acquire+0x370/0x370
       ? __radix_tree_lookup+0x180/0x220
       ? uverbs_try_lock_object+0x68/0xc0
       ? rdma_lookup_get_uobject+0x114/0x240
       create_qp.isra.5+0xce4/0x1e20
       ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0
       ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00
       ? ib_uverbs_cq_event_handler+0x160/0x160
       ? __might_fault+0x17c/0x1c0
       ib_uverbs_create_qp+0x21b/0x2a0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ib_uverbs_write+0x55a/0xad0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_destroy_cq+0x2e0/0x2e0
       ? ib_uverbs_open+0x760/0x760
       ? futex_wake+0x147/0x410
       ? check_prev_add+0x1680/0x1680
       ? do_futex+0x3d3/0xa60
       ? sched_clock_cpu+0x18/0x180
       __vfs_write+0xf7/0x5c0
       ? ib_uverbs_open+0x760/0x760
       ? kernel_read+0x110/0x110
       ? lock_acquire+0x370/0x370
       ? __fget+0x264/0x3b0
       vfs_write+0x18a/0x460
       SyS_write+0xc7/0x1a0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       entry_SYSCALL_64_fastpath+0x18/0x85
      RIP: 0033:0x4477b9
      RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9
      RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005
      RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff
      R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0
      
      Allocated by task 549:
       __kmalloc+0x15e/0x340
       kvmalloc_node+0xa1/0xd0
       create_user_qp.isra.46+0xd42/0x1610
       create_qp_common+0x2e63/0x3b50
       mlx5_ib_create_qp+0x33d/0x17b0
       create_qp.isra.5+0xce4/0x1e20
       ib_uverbs_create_qp+0x21b/0x2a0
       ib_uverbs_write+0x55a/0xad0
       __vfs_write+0xf7/0x5c0
       vfs_write+0x18a/0x460
       SyS_write+0xc7/0x1a0
       entry_SYSCALL_64_fastpath+0x18/0x85
      
      Freed by task 368:
       kfree+0xeb/0x2f0
       kernfs_fop_release+0x140/0x180
       __fput+0x266/0x700
       task_work_run+0x104/0x180
       exit_to_usermode_loop+0xf7/0x110
       syscall_return_slowpath+0x298/0x370
       entry_SYSCALL_64_fastpath+0x83/0x85
      
      The buggy address belongs to the object at ffff880066b99180  which
      belongs to the cache kmalloc-512 of size 512 The buggy address is
      located 272 bytes inside of  512-byte region [ffff880066b99180,
      ffff880066b99380) The buggy address belongs to the page:
      page:000000006040eedd count:1 mapcount:0 mapping:          (null)
      index:0x0 compound_mapcount: 0
      flags: 0x4000000000008100(slab|head)
      raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019
      raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
       ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Fixes: 0fb2ed66 ("IB/mlx5: Add create and destroy functionality for Raw Packet QP")
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      971e09c7
  7. 03 Feb, 2018 1 commit
  8. 08 Nov, 2017 1 commit
  9. 26 Jan, 2017 1 commit
  10. 17 Nov, 2016 2 commits
  11. 29 Oct, 2016 1 commit
  12. 07 Oct, 2016 5 commits
  13. 02 Sep, 2016 3 commits
  14. 17 Aug, 2016 3 commits
    • Saeed Mahameed's avatar
      net/mlx5: Unify and improve command interface · c4f287c4
      Saeed Mahameed authored
      Now as all commands use mlx5 ifc interface, instead of doing two calls
      for executing a command we embed command status checking into
      mlx5_cmd_exec to simplify the interface.
      
      Also we do here some cleanup for redundant software structures
      (inbox/outbox) and functions and improved command failure output.
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      c4f287c4
    • Saeed Mahameed's avatar
      {net,IB}/mlx5: Modify QP commands via mlx5 ifc · 1a412fb1
      Saeed Mahameed authored
      Prior to this patch we assumed that modify QP commands have the
      same layout.
      
      In ConnectX-4 for each QP transition there is a specific command
      and their layout can vary.
      
      e.g: 2err/2rst commands don't have QP context in their layout and before
      this patch we posted the QP context in those commands.
      
      Fortunately the FW only checks the suffix of the commands and executes
      them, while ignoring all invalid data sent after the valid command
      layout.
      
      This patch removes mlx5_modify_qp_mbox_in and changes
      mlx5_core_qp_modify to receive the required transition and QP context
      with opt_param_mask if needed.  This way the caller is not required to
      provide the command inbox layout and it will be generated automatically.
      
      mlx5_core_qp_modify will generate the command inbox/outbox layouts
      according to the requested transition and will fill the requested
      parameters.
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      1a412fb1
    • Saeed Mahameed's avatar
      {net,IB}/mlx5: QP/XRCD commands via mlx5 ifc · 09a7d9ec
      Saeed Mahameed authored
      Remove old representation of manually created QP/XRCD commands layout
      amd use mlx5_ifc canonical structures and defines.
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      09a7d9ec
  15. 14 Aug, 2016 1 commit
  16. 02 Aug, 2016 1 commit
  17. 23 Jun, 2016 6 commits
  18. 07 Jun, 2016 3 commits
  19. 13 May, 2016 1 commit
  20. 04 Mar, 2016 1 commit
    • Sagi Grimberg's avatar
      mlx5: Add arbitrary sg list support · b005d316
      Sagi Grimberg authored
      Allocate proper context for arbitrary scatterlist registration
      If ib_alloc_mr is called with IB_MR_MAP_ARB_SG, the driver
      allocate a private klm list instead of a private page list.
      Set the UMR wqe correctly when posting the fast registration.
      
      Also, expose device cap IB_DEVICE_MAP_ARB_SG according to the
      device id (until we have a FW bit that correctly exposes it).
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      b005d316
  21. 01 Mar, 2016 2 commits