linux/drivers/infiniband/hw
Steve Wise 2015f26cfa iw_cxgb4: add referencing to wait objects
For messages sent from the host to fw that solicit a reply from fw,
the c4iw_wr_wait struct pointer is passed in the host->fw message, and
included in the fw->host fw6_msg reply.  This allows the sender to wait
until the reply is received, and the code processing the ingress reply
to wake up the sender.

If c4iw_wait_for_reply() times out, however, we need to keep the
c4iw_wr_wait object around in case the reply eventually does arrive.
Otherwise we have touch-after-free bugs in the wake_up paths.

This was hit due to a bad kernel driver that blocked ingress processing
of cxgb4 for a long time, causing iw_cxgb4 timeouts, but eventually
resuming ingress processing and thus hitting the touch-after-free bug.

So I want to fix iw_cxgb4 such that we'll at least keep the wait object
around until the reply comes.  If it never comes we leak a small amount of
memory, but if it does come late, we won't potentially crash the system.

So add a kref struct in the c4iw_wr_wait struct, and take a reference
before sending a message to FW that will generate a FW6 reply.  And remove
the reference (and potentially free the wait object) when the reply
is processed.

The ep code also uses the wr_wait for non FW6 CPL messages and doesn't
embed the c4iw_wr_wait object in the message sent to firmware.  So for
those cases we add c4iw_wake_up_noref().

The mr/mw, cq, and qp object create/destroy paths do need this reference
logic.  For these paths, c4iw_ref_send_wait() is introduced to take the
wr_wait reference, send the msg to fw, and then wait for the reply.

So going forward, iw_cxgb4 either uses c4iw_ofld_send(),
c4iw_wait_for_reply() and c4iw_wake_up_noref() like is done in the some
of the endpoint logic, or c4iw_ref_send_wait() and c4iw_wake_up_deref()
(formerly c4iw_wake_up()) when sending messages with the c4iw_wr_wait
object pointer embedded in the message and resulting FW6 reply.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-09-29 11:46:41 -04:00
..
bnxt_re First -rc update for 4.14 kernel 2017-09-23 05:47:04 -10:00
cxgb3 RDMA/cxgb3: remove redundant first assignement of sqp 2017-09-27 08:54:19 -04:00
cxgb4 iw_cxgb4: add referencing to wait objects 2017-09-29 11:46:41 -04:00
hfi1 IB/hfi1: Refactor reset_ctxt() IOCTL 2017-09-29 11:08:06 -04:00
hns RDMA/hns: remove redundant assignment to variable j 2017-09-29 11:18:56 -04:00
i40iw i40iw: delete some stray tabs 2017-09-29 11:18:56 -04:00
mlx4 IB/mlx4: fix sprintf format warning 2017-09-13 18:53:15 -07:00
mlx5 IB/mlx5:: pr_err() and mlx5_ib_dbg() strings should end with newlines 2017-09-27 09:17:52 -04:00
mthca RDMA/mthca: Make explicit conversion to 64bit value 2017-08-24 16:27:10 -04:00
nes RDMA/nes: Remove zeroed parameter from port query callback 2017-08-24 16:44:48 -04:00
ocrdma IB/ocrdma: pr_err() strings should end with newlines 2017-09-27 10:13:14 -04:00
qedr RDMA/qedr: Fix rdma_type initialization 2017-09-29 11:18:56 -04:00
qib IB/qib: Use setup_timer and mod_timer 2017-09-29 11:18:56 -04:00
usnic lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
vmw_pvrdma RDMA/vmw_pvrdma: Fix reporting correct opcodes for completion 2017-09-22 13:32:22 -04:00
Makefile RDMA/bnxt_re: Add bnxt_re driver build support 2017-02-14 09:51:28 -05:00