forked from Minki/linux
d37b1e5340
Driver copies FW commands to the HW queue as units of 16 bytes. Some
of the command structures are not exact multiple of 16. So while copying
the data from those structures, the stack out of bounds messages are
reported by KASAN. The following error is reported.
[ 1337.530155] ==================================================================
[ 1337.530277] BUG: KASAN: stack-out-of-bounds in bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530413] Read of size 16 at addr ffff888725477a48 by task rmmod/2785
[ 1337.530540] CPU: 5 PID: 2785 Comm: rmmod Tainted: G OE 5.2.0-rc6+ #75
[ 1337.530541] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
[ 1337.530542] Call Trace:
[ 1337.530548] dump_stack+0x5b/0x90
[ 1337.530556] ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530560] print_address_description+0x65/0x22e
[ 1337.530568] ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530575] ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530577] __kasan_report.cold.3+0x37/0x77
[ 1337.530581] ? _raw_write_trylock+0x10/0xe0
[ 1337.530588] ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530590] kasan_report+0xe/0x20
[ 1337.530592] memcpy+0x1f/0x50
[ 1337.530600] bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530608] ? bnxt_qplib_creq_irq+0xa0/0xa0 [bnxt_re]
[ 1337.530611] ? xas_create+0x3aa/0x5f0
[ 1337.530613] ? xas_start+0x77/0x110
[ 1337.530615] ? xas_clear_mark+0x34/0xd0
[ 1337.530623] bnxt_qplib_free_mrw+0x104/0x1a0 [bnxt_re]
[ 1337.530631] ? bnxt_qplib_destroy_ah+0x110/0x110 [bnxt_re]
[ 1337.530633] ? bit_wait_io_timeout+0xc0/0xc0
[ 1337.530641] bnxt_re_dealloc_mw+0x2c/0x60 [bnxt_re]
[ 1337.530648] bnxt_re_destroy_fence_mr+0x77/0x1d0 [bnxt_re]
[ 1337.530655] bnxt_re_dealloc_pd+0x25/0x60 [bnxt_re]
[ 1337.530677] ib_dealloc_pd_user+0xbe/0xe0 [ib_core]
[ 1337.530683] srpt_remove_one+0x5de/0x690 [ib_srpt]
[ 1337.530689] ? __srpt_close_all_ch+0xc0/0xc0 [ib_srpt]
[ 1337.530692] ? xa_load+0x87/0xe0
...
[ 1337.530840] do_syscall_64+0x6d/0x1f0
[ 1337.530843] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1337.530845] RIP: 0033:0x7ff5b389035b
[ 1337.530848] Code: 73 01 c3 48 8b 0d 2d 0b 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fd 0a 2c 00 f7 d8 64 89 01 48
[ 1337.530849] RSP: 002b:00007fff83425c28 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[ 1337.530852] RAX: ffffffffffffffda RBX: 00005596443e6750 RCX: 00007ff5b389035b
[ 1337.530853] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005596443e67b8
[ 1337.530854] RBP: 0000000000000000 R08: 00007fff83424ba1 R09: 0000000000000000
[ 1337.530856] R10: 00007ff5b3902960 R11: 0000000000000206 R12: 00007fff83425e50
[ 1337.530857] R13: 00007fff8342673c R14: 00005596443e6260 R15: 00005596443e6750
[ 1337.530885] The buggy address belongs to the page:
[ 1337.530962] page:ffffea001c951dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 1337.530964] flags: 0x57ffffc0000000()
[ 1337.530967] raw: 0057ffffc0000000 0000000000000000 ffffffff1c950101 0000000000000000
[ 1337.530970] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1337.530970] page dumped because: kasan: bad access detected
[ 1337.530996] Memory state around the buggy address:
[ 1337.531072] ffff888725477900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2
[ 1337.531180] ffff888725477980: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
[ 1337.531288] >ffff888725477a00: 00 f2 f2 f2 f2 f2 f2 00 00 00 f2 00 00 00 00 00
[ 1337.531393] ^
[ 1337.531478] ffff888725477a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1337.531585] ffff888725477b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1337.531691] ==================================================================
Fix this by passing the exact size of each FW command to
bnxt_qplib_rcfw_send_message as req->cmd_size. Before sending
the command to HW, modify the req->cmd_size to number of 16 byte units.
Fixes: 1ac5a40479
("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://lore.kernel.org/r/1566468170-489-1-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Doug Ledford <dledford@redhat.com>
300 lines
8.8 KiB
C
300 lines
8.8 KiB
C
/*
|
|
* Broadcom NetXtreme-E RoCE driver.
|
|
*
|
|
* Copyright (c) 2016 - 2017, Broadcom. All rights reserved. The term
|
|
* Broadcom refers to Broadcom Limited and/or its subsidiaries.
|
|
*
|
|
* This software is available to you under a choice of one of two
|
|
* licenses. You may choose to be licensed under the terms of the GNU
|
|
* General Public License (GPL) Version 2, available from the file
|
|
* COPYING in the main directory of this source tree, or the
|
|
* BSD license below:
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
|
* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* Description: RDMA Controller HW interface (header)
|
|
*/
|
|
|
|
#ifndef __BNXT_QPLIB_RCFW_H__
|
|
#define __BNXT_QPLIB_RCFW_H__
|
|
|
|
#define RCFW_CMDQ_TRIG_VAL 1
|
|
#define RCFW_COMM_PCI_BAR_REGION 0
|
|
#define RCFW_COMM_CONS_PCI_BAR_REGION 2
|
|
#define RCFW_COMM_BASE_OFFSET 0x600
|
|
#define RCFW_PF_COMM_PROD_OFFSET 0xc
|
|
#define RCFW_VF_COMM_PROD_OFFSET 0xc
|
|
#define RCFW_COMM_TRIG_OFFSET 0x100
|
|
#define RCFW_COMM_SIZE 0x104
|
|
|
|
#define RCFW_DBR_PCI_BAR_REGION 2
|
|
#define RCFW_DBR_BASE_PAGE_SHIFT 12
|
|
|
|
#define RCFW_CMD_PREP(req, CMD, cmd_flags) \
|
|
do { \
|
|
memset(&(req), 0, sizeof((req))); \
|
|
(req).opcode = CMDQ_BASE_OPCODE_##CMD; \
|
|
(req).cmd_size = sizeof((req)); \
|
|
(req).flags = cpu_to_le16(cmd_flags); \
|
|
} while (0)
|
|
|
|
#define RCFW_CMD_WAIT_TIME_MS 20000 /* 20 Seconds timeout */
|
|
|
|
/* Cmdq contains a fix number of a 16-Byte slots */
|
|
struct bnxt_qplib_cmdqe {
|
|
u8 data[16];
|
|
};
|
|
|
|
/* CMDQ elements */
|
|
#define BNXT_QPLIB_CMDQE_MAX_CNT_256 256
|
|
#define BNXT_QPLIB_CMDQE_MAX_CNT_8192 8192
|
|
#define BNXT_QPLIB_CMDQE_UNITS sizeof(struct bnxt_qplib_cmdqe)
|
|
#define BNXT_QPLIB_CMDQE_BYTES(depth) ((depth) * BNXT_QPLIB_CMDQE_UNITS)
|
|
|
|
static inline u32 bnxt_qplib_cmdqe_npages(u32 depth)
|
|
{
|
|
u32 npages;
|
|
|
|
npages = BNXT_QPLIB_CMDQE_BYTES(depth) / PAGE_SIZE;
|
|
if (BNXT_QPLIB_CMDQE_BYTES(depth) % PAGE_SIZE)
|
|
npages++;
|
|
return npages;
|
|
}
|
|
|
|
static inline u32 bnxt_qplib_cmdqe_page_size(u32 depth)
|
|
{
|
|
return (bnxt_qplib_cmdqe_npages(depth) * PAGE_SIZE);
|
|
}
|
|
|
|
static inline u32 bnxt_qplib_cmdqe_cnt_per_pg(u32 depth)
|
|
{
|
|
return (bnxt_qplib_cmdqe_page_size(depth) /
|
|
BNXT_QPLIB_CMDQE_UNITS);
|
|
}
|
|
|
|
/* Set the cmd_size to a factor of CMDQE unit */
|
|
static inline void bnxt_qplib_set_cmd_slots(struct cmdq_base *req)
|
|
{
|
|
req->cmd_size = (req->cmd_size + BNXT_QPLIB_CMDQE_UNITS - 1) /
|
|
BNXT_QPLIB_CMDQE_UNITS;
|
|
}
|
|
|
|
#define MAX_CMDQ_IDX(depth) ((depth) - 1)
|
|
|
|
static inline u32 bnxt_qplib_max_cmdq_idx_per_pg(u32 depth)
|
|
{
|
|
return (bnxt_qplib_cmdqe_cnt_per_pg(depth) - 1);
|
|
}
|
|
|
|
#define RCFW_MAX_COOKIE_VALUE 0x7FFF
|
|
#define RCFW_CMD_IS_BLOCKING 0x8000
|
|
#define RCFW_BLOCKED_CMD_WAIT_COUNT 0x4E20
|
|
|
|
#define HWRM_VERSION_RCFW_CMDQ_DEPTH_CHECK 0x1000900020011ULL
|
|
|
|
static inline u32 get_cmdq_pg(u32 val, u32 depth)
|
|
{
|
|
return (val & ~(bnxt_qplib_max_cmdq_idx_per_pg(depth))) /
|
|
(bnxt_qplib_cmdqe_cnt_per_pg(depth));
|
|
}
|
|
|
|
static inline u32 get_cmdq_idx(u32 val, u32 depth)
|
|
{
|
|
return val & (bnxt_qplib_max_cmdq_idx_per_pg(depth));
|
|
}
|
|
|
|
/* Crsq buf is 1024-Byte */
|
|
struct bnxt_qplib_crsbe {
|
|
u8 data[1024];
|
|
};
|
|
|
|
/* CREQ */
|
|
/* Allocate 1 per QP for async error notification for now */
|
|
#define BNXT_QPLIB_CREQE_MAX_CNT (64 * 1024)
|
|
#define BNXT_QPLIB_CREQE_UNITS 16 /* 16-Bytes per prod unit */
|
|
#define BNXT_QPLIB_CREQE_CNT_PER_PG (PAGE_SIZE / BNXT_QPLIB_CREQE_UNITS)
|
|
|
|
#define MAX_CREQ_IDX (BNXT_QPLIB_CREQE_MAX_CNT - 1)
|
|
#define MAX_CREQ_IDX_PER_PG (BNXT_QPLIB_CREQE_CNT_PER_PG - 1)
|
|
|
|
static inline u32 get_creq_pg(u32 val)
|
|
{
|
|
return (val & ~MAX_CREQ_IDX_PER_PG) / BNXT_QPLIB_CREQE_CNT_PER_PG;
|
|
}
|
|
|
|
static inline u32 get_creq_idx(u32 val)
|
|
{
|
|
return val & MAX_CREQ_IDX_PER_PG;
|
|
}
|
|
|
|
#define BNXT_QPLIB_CREQE_PER_PG (PAGE_SIZE / sizeof(struct creq_base))
|
|
|
|
#define CREQ_CMP_VALID(hdr, raw_cons, cp_bit) \
|
|
(!!((hdr)->v & CREQ_BASE_V) == \
|
|
!((raw_cons) & (cp_bit)))
|
|
|
|
#define CREQ_DB_KEY_CP (0x2 << CMPL_DOORBELL_KEY_SFT)
|
|
#define CREQ_DB_IDX_VALID CMPL_DOORBELL_IDX_VALID
|
|
#define CREQ_DB_IRQ_DIS CMPL_DOORBELL_MASK
|
|
#define CREQ_DB_CP_FLAGS_REARM (CREQ_DB_KEY_CP | \
|
|
CREQ_DB_IDX_VALID)
|
|
#define CREQ_DB_CP_FLAGS (CREQ_DB_KEY_CP | \
|
|
CREQ_DB_IDX_VALID | \
|
|
CREQ_DB_IRQ_DIS)
|
|
|
|
static inline void bnxt_qplib_ring_creq_db64(void __iomem *db, u32 index,
|
|
u32 xid, bool arm)
|
|
{
|
|
u64 val = 0;
|
|
|
|
val = xid & DBC_DBC_XID_MASK;
|
|
val |= DBC_DBC_PATH_ROCE;
|
|
val |= arm ? DBC_DBC_TYPE_NQ_ARM : DBC_DBC_TYPE_NQ;
|
|
val <<= 32;
|
|
val |= index & DBC_DBC_INDEX_MASK;
|
|
|
|
writeq(val, db);
|
|
}
|
|
|
|
static inline void bnxt_qplib_ring_creq_db_rearm(void __iomem *db, u32 raw_cons,
|
|
u32 max_elements, u32 xid,
|
|
bool gen_p5)
|
|
{
|
|
u32 index = raw_cons & (max_elements - 1);
|
|
|
|
if (gen_p5)
|
|
bnxt_qplib_ring_creq_db64(db, index, xid, true);
|
|
else
|
|
writel(CREQ_DB_CP_FLAGS_REARM | (index & DBC_DBC32_XID_MASK),
|
|
db);
|
|
}
|
|
|
|
static inline void bnxt_qplib_ring_creq_db(void __iomem *db, u32 raw_cons,
|
|
u32 max_elements, u32 xid,
|
|
bool gen_p5)
|
|
{
|
|
u32 index = raw_cons & (max_elements - 1);
|
|
|
|
if (gen_p5)
|
|
bnxt_qplib_ring_creq_db64(db, index, xid, true);
|
|
else
|
|
writel(CREQ_DB_CP_FLAGS | (index & DBC_DBC32_XID_MASK),
|
|
db);
|
|
}
|
|
|
|
#define CREQ_ENTRY_POLL_BUDGET 0x100
|
|
|
|
/* HWQ */
|
|
|
|
struct bnxt_qplib_crsq {
|
|
struct creq_qp_event *resp;
|
|
u32 req_size;
|
|
};
|
|
|
|
struct bnxt_qplib_rcfw_sbuf {
|
|
void *sb;
|
|
dma_addr_t dma_addr;
|
|
u32 size;
|
|
};
|
|
|
|
struct bnxt_qplib_qp_node {
|
|
u32 qp_id; /* QP id */
|
|
void *qp_handle; /* ptr to qplib_qp */
|
|
};
|
|
|
|
#define BNXT_QPLIB_OOS_COUNT_MASK 0xFFFFFFFF
|
|
|
|
/* RCFW Communication Channels */
|
|
struct bnxt_qplib_rcfw {
|
|
struct pci_dev *pdev;
|
|
struct bnxt_qplib_res *res;
|
|
int vector;
|
|
struct tasklet_struct worker;
|
|
bool requested;
|
|
unsigned long *cmdq_bitmap;
|
|
u32 bmap_size;
|
|
unsigned long flags;
|
|
#define FIRMWARE_INITIALIZED_FLAG 0
|
|
#define FIRMWARE_FIRST_FLAG 31
|
|
#define FIRMWARE_TIMED_OUT 3
|
|
wait_queue_head_t waitq;
|
|
int (*aeq_handler)(struct bnxt_qplib_rcfw *,
|
|
void *, void *);
|
|
u32 seq_num;
|
|
|
|
/* Bar region info */
|
|
void __iomem *cmdq_bar_reg_iomem;
|
|
u16 cmdq_bar_reg;
|
|
u16 cmdq_bar_reg_prod_off;
|
|
u16 cmdq_bar_reg_trig_off;
|
|
u16 creq_ring_id;
|
|
u16 creq_bar_reg;
|
|
void __iomem *creq_bar_reg_iomem;
|
|
|
|
/* Cmd-Resp and Async Event notification queue */
|
|
struct bnxt_qplib_hwq creq;
|
|
u64 creq_qp_event_processed;
|
|
u64 creq_func_event_processed;
|
|
|
|
/* Actual Cmd and Resp Queues */
|
|
struct bnxt_qplib_hwq cmdq;
|
|
struct bnxt_qplib_crsq *crsqe_tbl;
|
|
int qp_tbl_size;
|
|
struct bnxt_qplib_qp_node *qp_tbl;
|
|
u64 oos_prev;
|
|
u32 init_oos_stats;
|
|
u32 cmdq_depth;
|
|
};
|
|
|
|
void bnxt_qplib_free_rcfw_channel(struct bnxt_qplib_rcfw *rcfw);
|
|
int bnxt_qplib_alloc_rcfw_channel(struct pci_dev *pdev,
|
|
struct bnxt_qplib_rcfw *rcfw,
|
|
struct bnxt_qplib_ctx *ctx,
|
|
int qp_tbl_sz);
|
|
void bnxt_qplib_rcfw_stop_irq(struct bnxt_qplib_rcfw *rcfw, bool kill);
|
|
void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw);
|
|
int bnxt_qplib_rcfw_start_irq(struct bnxt_qplib_rcfw *rcfw, int msix_vector,
|
|
bool need_init);
|
|
int bnxt_qplib_enable_rcfw_channel(struct pci_dev *pdev,
|
|
struct bnxt_qplib_rcfw *rcfw,
|
|
int msix_vector,
|
|
int cp_bar_reg_off, int virt_fn,
|
|
int (*aeq_handler)(struct bnxt_qplib_rcfw *,
|
|
void *aeqe, void *obj));
|
|
|
|
struct bnxt_qplib_rcfw_sbuf *bnxt_qplib_rcfw_alloc_sbuf(
|
|
struct bnxt_qplib_rcfw *rcfw,
|
|
u32 size);
|
|
void bnxt_qplib_rcfw_free_sbuf(struct bnxt_qplib_rcfw *rcfw,
|
|
struct bnxt_qplib_rcfw_sbuf *sbuf);
|
|
int bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw,
|
|
struct cmdq_base *req, struct creq_base *resp,
|
|
void *sbuf, u8 is_block);
|
|
|
|
int bnxt_qplib_deinit_rcfw(struct bnxt_qplib_rcfw *rcfw);
|
|
int bnxt_qplib_init_rcfw(struct bnxt_qplib_rcfw *rcfw,
|
|
struct bnxt_qplib_ctx *ctx, int is_virtfn);
|
|
void bnxt_qplib_mark_qp_error(void *qp_handle);
|
|
#endif /* __BNXT_QPLIB_RCFW_H__ */
|