mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-25 12:05:31 +00:00
c2349758ac
Binding might result in a NULL device, which is dereferenced causing this BUG: [ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097 4 [ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110 [ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0 [ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 1317.264179] Dumping ftrace buffer: [ 1317.264774] (ftrace buffer empty) [ 1317.265220] Modules linked in: [ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4- next-20131218-sasha-00013-g2cebb9b-dirty #4159 [ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000 [ 1317.268399] RIP: 0010:[<ffffffff84225f52>] [<ffffffff84225f52>] rds_ib_laddr_check+ 0x82/0x110 [ 1317.269670] RSP: 0000:ffff8803cd31bdf8 EFLAGS: 00010246 [ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000 [ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286 [ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000 [ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031 [ 1317.270230] FS: 00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000 0000 [ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0 [ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602 [ 1317.270230] Stack: [ 1317.270230] 0000000054086700 5408670000a25de0 5408670000000002 0000000000000000 [ 1317.270230] ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160 [ 1317.270230] ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280 [ 1317.270230] Call Trace: [ 1317.270230] [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0 [ 1317.270230] [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0 [ 1317.270230] [<ffffffff8421c9c3>] rds_bind+0x73/0xf0 [ 1317.270230] [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0 [ 1317.270230] [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0 [ 1317.270230] [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10 [ 1317.270230] [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290 [ 1317.270230] [<ffffffff83e4cece>] SyS_bind+0xe/0x10 [ 1317.270230] [<ffffffff843a6ad0>] tracesys+0xdd/0xe2 [ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00 89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7 4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02 [ 1317.270230] RIP [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110 [ 1317.270230] RSP <ffff8803cd31bdf8> [ 1317.270230] CR2: 0000000000000974 Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
436 lines
12 KiB
C
436 lines
12 KiB
C
/*
|
|
* Copyright (c) 2006 Oracle. All rights reserved.
|
|
*
|
|
* This software is available to you under a choice of one of two
|
|
* licenses. You may choose to be licensed under the terms of the GNU
|
|
* General Public License (GPL) Version 2, available from the file
|
|
* COPYING in the main directory of this source tree, or the
|
|
* OpenIB.org BSD license below:
|
|
*
|
|
* Redistribution and use in source and binary forms, with or
|
|
* without modification, are permitted provided that the following
|
|
* conditions are met:
|
|
*
|
|
* - Redistributions of source code must retain the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer.
|
|
*
|
|
* - Redistributions in binary form must reproduce the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer in the documentation and/or other materials
|
|
* provided with the distribution.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE.
|
|
*
|
|
*/
|
|
#include <linux/kernel.h>
|
|
#include <linux/in.h>
|
|
#include <linux/if.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/inetdevice.h>
|
|
#include <linux/if_arp.h>
|
|
#include <linux/delay.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/module.h>
|
|
|
|
#include "rds.h"
|
|
#include "ib.h"
|
|
|
|
static unsigned int fmr_pool_size = RDS_FMR_POOL_SIZE;
|
|
unsigned int fmr_message_size = RDS_FMR_SIZE + 1; /* +1 allows for unaligned MRs */
|
|
unsigned int rds_ib_retry_count = RDS_IB_DEFAULT_RETRY_COUNT;
|
|
|
|
module_param(fmr_pool_size, int, 0444);
|
|
MODULE_PARM_DESC(fmr_pool_size, " Max number of fmr per HCA");
|
|
module_param(fmr_message_size, int, 0444);
|
|
MODULE_PARM_DESC(fmr_message_size, " Max size of a RDMA transfer");
|
|
module_param(rds_ib_retry_count, int, 0444);
|
|
MODULE_PARM_DESC(rds_ib_retry_count, " Number of hw retries before reporting an error");
|
|
|
|
/*
|
|
* we have a clumsy combination of RCU and a rwsem protecting this list
|
|
* because it is used both in the get_mr fast path and while blocking in
|
|
* the FMR flushing path.
|
|
*/
|
|
DECLARE_RWSEM(rds_ib_devices_lock);
|
|
struct list_head rds_ib_devices;
|
|
|
|
/* NOTE: if also grabbing ibdev lock, grab this first */
|
|
DEFINE_SPINLOCK(ib_nodev_conns_lock);
|
|
LIST_HEAD(ib_nodev_conns);
|
|
|
|
static void rds_ib_nodev_connect(void)
|
|
{
|
|
struct rds_ib_connection *ic;
|
|
|
|
spin_lock(&ib_nodev_conns_lock);
|
|
list_for_each_entry(ic, &ib_nodev_conns, ib_node)
|
|
rds_conn_connect_if_down(ic->conn);
|
|
spin_unlock(&ib_nodev_conns_lock);
|
|
}
|
|
|
|
static void rds_ib_dev_shutdown(struct rds_ib_device *rds_ibdev)
|
|
{
|
|
struct rds_ib_connection *ic;
|
|
unsigned long flags;
|
|
|
|
spin_lock_irqsave(&rds_ibdev->spinlock, flags);
|
|
list_for_each_entry(ic, &rds_ibdev->conn_list, ib_node)
|
|
rds_conn_drop(ic->conn);
|
|
spin_unlock_irqrestore(&rds_ibdev->spinlock, flags);
|
|
}
|
|
|
|
/*
|
|
* rds_ib_destroy_mr_pool() blocks on a few things and mrs drop references
|
|
* from interrupt context so we push freing off into a work struct in krdsd.
|
|
*/
|
|
static void rds_ib_dev_free(struct work_struct *work)
|
|
{
|
|
struct rds_ib_ipaddr *i_ipaddr, *i_next;
|
|
struct rds_ib_device *rds_ibdev = container_of(work,
|
|
struct rds_ib_device, free_work);
|
|
|
|
if (rds_ibdev->mr_pool)
|
|
rds_ib_destroy_mr_pool(rds_ibdev->mr_pool);
|
|
if (rds_ibdev->mr)
|
|
ib_dereg_mr(rds_ibdev->mr);
|
|
if (rds_ibdev->pd)
|
|
ib_dealloc_pd(rds_ibdev->pd);
|
|
|
|
list_for_each_entry_safe(i_ipaddr, i_next, &rds_ibdev->ipaddr_list, list) {
|
|
list_del(&i_ipaddr->list);
|
|
kfree(i_ipaddr);
|
|
}
|
|
|
|
kfree(rds_ibdev);
|
|
}
|
|
|
|
void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
|
|
{
|
|
BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
|
|
if (atomic_dec_and_test(&rds_ibdev->refcount))
|
|
queue_work(rds_wq, &rds_ibdev->free_work);
|
|
}
|
|
|
|
static void rds_ib_add_one(struct ib_device *device)
|
|
{
|
|
struct rds_ib_device *rds_ibdev;
|
|
struct ib_device_attr *dev_attr;
|
|
|
|
/* Only handle IB (no iWARP) devices */
|
|
if (device->node_type != RDMA_NODE_IB_CA)
|
|
return;
|
|
|
|
dev_attr = kmalloc(sizeof *dev_attr, GFP_KERNEL);
|
|
if (!dev_attr)
|
|
return;
|
|
|
|
if (ib_query_device(device, dev_attr)) {
|
|
rdsdebug("Query device failed for %s\n", device->name);
|
|
goto free_attr;
|
|
}
|
|
|
|
rds_ibdev = kzalloc_node(sizeof(struct rds_ib_device), GFP_KERNEL,
|
|
ibdev_to_node(device));
|
|
if (!rds_ibdev)
|
|
goto free_attr;
|
|
|
|
spin_lock_init(&rds_ibdev->spinlock);
|
|
atomic_set(&rds_ibdev->refcount, 1);
|
|
INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free);
|
|
|
|
rds_ibdev->max_wrs = dev_attr->max_qp_wr;
|
|
rds_ibdev->max_sge = min(dev_attr->max_sge, RDS_IB_MAX_SGE);
|
|
|
|
rds_ibdev->fmr_max_remaps = dev_attr->max_map_per_fmr?: 32;
|
|
rds_ibdev->max_fmrs = dev_attr->max_fmr ?
|
|
min_t(unsigned int, dev_attr->max_fmr, fmr_pool_size) :
|
|
fmr_pool_size;
|
|
|
|
rds_ibdev->max_initiator_depth = dev_attr->max_qp_init_rd_atom;
|
|
rds_ibdev->max_responder_resources = dev_attr->max_qp_rd_atom;
|
|
|
|
rds_ibdev->dev = device;
|
|
rds_ibdev->pd = ib_alloc_pd(device);
|
|
if (IS_ERR(rds_ibdev->pd)) {
|
|
rds_ibdev->pd = NULL;
|
|
goto put_dev;
|
|
}
|
|
|
|
rds_ibdev->mr = ib_get_dma_mr(rds_ibdev->pd, IB_ACCESS_LOCAL_WRITE);
|
|
if (IS_ERR(rds_ibdev->mr)) {
|
|
rds_ibdev->mr = NULL;
|
|
goto put_dev;
|
|
}
|
|
|
|
rds_ibdev->mr_pool = rds_ib_create_mr_pool(rds_ibdev);
|
|
if (IS_ERR(rds_ibdev->mr_pool)) {
|
|
rds_ibdev->mr_pool = NULL;
|
|
goto put_dev;
|
|
}
|
|
|
|
INIT_LIST_HEAD(&rds_ibdev->ipaddr_list);
|
|
INIT_LIST_HEAD(&rds_ibdev->conn_list);
|
|
|
|
down_write(&rds_ib_devices_lock);
|
|
list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices);
|
|
up_write(&rds_ib_devices_lock);
|
|
atomic_inc(&rds_ibdev->refcount);
|
|
|
|
ib_set_client_data(device, &rds_ib_client, rds_ibdev);
|
|
atomic_inc(&rds_ibdev->refcount);
|
|
|
|
rds_ib_nodev_connect();
|
|
|
|
put_dev:
|
|
rds_ib_dev_put(rds_ibdev);
|
|
free_attr:
|
|
kfree(dev_attr);
|
|
}
|
|
|
|
/*
|
|
* New connections use this to find the device to associate with the
|
|
* connection. It's not in the fast path so we're not concerned about the
|
|
* performance of the IB call. (As of this writing, it uses an interrupt
|
|
* blocking spinlock to serialize walking a per-device list of all registered
|
|
* clients.)
|
|
*
|
|
* RCU is used to handle incoming connections racing with device teardown.
|
|
* Rather than use a lock to serialize removal from the client_data and
|
|
* getting a new reference, we use an RCU grace period. The destruction
|
|
* path removes the device from client_data and then waits for all RCU
|
|
* readers to finish.
|
|
*
|
|
* A new connection can get NULL from this if its arriving on a
|
|
* device that is in the process of being removed.
|
|
*/
|
|
struct rds_ib_device *rds_ib_get_client_data(struct ib_device *device)
|
|
{
|
|
struct rds_ib_device *rds_ibdev;
|
|
|
|
rcu_read_lock();
|
|
rds_ibdev = ib_get_client_data(device, &rds_ib_client);
|
|
if (rds_ibdev)
|
|
atomic_inc(&rds_ibdev->refcount);
|
|
rcu_read_unlock();
|
|
return rds_ibdev;
|
|
}
|
|
|
|
/*
|
|
* The IB stack is letting us know that a device is going away. This can
|
|
* happen if the underlying HCA driver is removed or if PCI hotplug is removing
|
|
* the pci function, for example.
|
|
*
|
|
* This can be called at any time and can be racing with any other RDS path.
|
|
*/
|
|
static void rds_ib_remove_one(struct ib_device *device)
|
|
{
|
|
struct rds_ib_device *rds_ibdev;
|
|
|
|
rds_ibdev = ib_get_client_data(device, &rds_ib_client);
|
|
if (!rds_ibdev)
|
|
return;
|
|
|
|
rds_ib_dev_shutdown(rds_ibdev);
|
|
|
|
/* stop connection attempts from getting a reference to this device. */
|
|
ib_set_client_data(device, &rds_ib_client, NULL);
|
|
|
|
down_write(&rds_ib_devices_lock);
|
|
list_del_rcu(&rds_ibdev->list);
|
|
up_write(&rds_ib_devices_lock);
|
|
|
|
/*
|
|
* This synchronize rcu is waiting for readers of both the ib
|
|
* client data and the devices list to finish before we drop
|
|
* both of those references.
|
|
*/
|
|
synchronize_rcu();
|
|
rds_ib_dev_put(rds_ibdev);
|
|
rds_ib_dev_put(rds_ibdev);
|
|
}
|
|
|
|
struct ib_client rds_ib_client = {
|
|
.name = "rds_ib",
|
|
.add = rds_ib_add_one,
|
|
.remove = rds_ib_remove_one
|
|
};
|
|
|
|
static int rds_ib_conn_info_visitor(struct rds_connection *conn,
|
|
void *buffer)
|
|
{
|
|
struct rds_info_rdma_connection *iinfo = buffer;
|
|
struct rds_ib_connection *ic;
|
|
|
|
/* We will only ever look at IB transports */
|
|
if (conn->c_trans != &rds_ib_transport)
|
|
return 0;
|
|
|
|
iinfo->src_addr = conn->c_laddr;
|
|
iinfo->dst_addr = conn->c_faddr;
|
|
|
|
memset(&iinfo->src_gid, 0, sizeof(iinfo->src_gid));
|
|
memset(&iinfo->dst_gid, 0, sizeof(iinfo->dst_gid));
|
|
if (rds_conn_state(conn) == RDS_CONN_UP) {
|
|
struct rds_ib_device *rds_ibdev;
|
|
struct rdma_dev_addr *dev_addr;
|
|
|
|
ic = conn->c_transport_data;
|
|
dev_addr = &ic->i_cm_id->route.addr.dev_addr;
|
|
|
|
rdma_addr_get_sgid(dev_addr, (union ib_gid *) &iinfo->src_gid);
|
|
rdma_addr_get_dgid(dev_addr, (union ib_gid *) &iinfo->dst_gid);
|
|
|
|
rds_ibdev = ic->rds_ibdev;
|
|
iinfo->max_send_wr = ic->i_send_ring.w_nr;
|
|
iinfo->max_recv_wr = ic->i_recv_ring.w_nr;
|
|
iinfo->max_send_sge = rds_ibdev->max_sge;
|
|
rds_ib_get_mr_info(rds_ibdev, iinfo);
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
static void rds_ib_ic_info(struct socket *sock, unsigned int len,
|
|
struct rds_info_iterator *iter,
|
|
struct rds_info_lengths *lens)
|
|
{
|
|
rds_for_each_conn_info(sock, len, iter, lens,
|
|
rds_ib_conn_info_visitor,
|
|
sizeof(struct rds_info_rdma_connection));
|
|
}
|
|
|
|
|
|
/*
|
|
* Early RDS/IB was built to only bind to an address if there is an IPoIB
|
|
* device with that address set.
|
|
*
|
|
* If it were me, I'd advocate for something more flexible. Sending and
|
|
* receiving should be device-agnostic. Transports would try and maintain
|
|
* connections between peers who have messages queued. Userspace would be
|
|
* allowed to influence which paths have priority. We could call userspace
|
|
* asserting this policy "routing".
|
|
*/
|
|
static int rds_ib_laddr_check(__be32 addr)
|
|
{
|
|
int ret;
|
|
struct rdma_cm_id *cm_id;
|
|
struct sockaddr_in sin;
|
|
|
|
/* Create a CMA ID and try to bind it. This catches both
|
|
* IB and iWARP capable NICs.
|
|
*/
|
|
cm_id = rdma_create_id(NULL, NULL, RDMA_PS_TCP, IB_QPT_RC);
|
|
if (IS_ERR(cm_id))
|
|
return PTR_ERR(cm_id);
|
|
|
|
memset(&sin, 0, sizeof(sin));
|
|
sin.sin_family = AF_INET;
|
|
sin.sin_addr.s_addr = addr;
|
|
|
|
/* rdma_bind_addr will only succeed for IB & iWARP devices */
|
|
ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
|
|
/* due to this, we will claim to support iWARP devices unless we
|
|
check node_type. */
|
|
if (ret || !cm_id->device ||
|
|
cm_id->device->node_type != RDMA_NODE_IB_CA)
|
|
ret = -EADDRNOTAVAIL;
|
|
|
|
rdsdebug("addr %pI4 ret %d node type %d\n",
|
|
&addr, ret,
|
|
cm_id->device ? cm_id->device->node_type : -1);
|
|
|
|
rdma_destroy_id(cm_id);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static void rds_ib_unregister_client(void)
|
|
{
|
|
ib_unregister_client(&rds_ib_client);
|
|
/* wait for rds_ib_dev_free() to complete */
|
|
flush_workqueue(rds_wq);
|
|
}
|
|
|
|
void rds_ib_exit(void)
|
|
{
|
|
rds_info_deregister_func(RDS_INFO_IB_CONNECTIONS, rds_ib_ic_info);
|
|
rds_ib_unregister_client();
|
|
rds_ib_destroy_nodev_conns();
|
|
rds_ib_sysctl_exit();
|
|
rds_ib_recv_exit();
|
|
rds_trans_unregister(&rds_ib_transport);
|
|
}
|
|
|
|
struct rds_transport rds_ib_transport = {
|
|
.laddr_check = rds_ib_laddr_check,
|
|
.xmit_complete = rds_ib_xmit_complete,
|
|
.xmit = rds_ib_xmit,
|
|
.xmit_rdma = rds_ib_xmit_rdma,
|
|
.xmit_atomic = rds_ib_xmit_atomic,
|
|
.recv = rds_ib_recv,
|
|
.conn_alloc = rds_ib_conn_alloc,
|
|
.conn_free = rds_ib_conn_free,
|
|
.conn_connect = rds_ib_conn_connect,
|
|
.conn_shutdown = rds_ib_conn_shutdown,
|
|
.inc_copy_to_user = rds_ib_inc_copy_to_user,
|
|
.inc_free = rds_ib_inc_free,
|
|
.cm_initiate_connect = rds_ib_cm_initiate_connect,
|
|
.cm_handle_connect = rds_ib_cm_handle_connect,
|
|
.cm_connect_complete = rds_ib_cm_connect_complete,
|
|
.stats_info_copy = rds_ib_stats_info_copy,
|
|
.exit = rds_ib_exit,
|
|
.get_mr = rds_ib_get_mr,
|
|
.sync_mr = rds_ib_sync_mr,
|
|
.free_mr = rds_ib_free_mr,
|
|
.flush_mrs = rds_ib_flush_mrs,
|
|
.t_owner = THIS_MODULE,
|
|
.t_name = "infiniband",
|
|
.t_type = RDS_TRANS_IB
|
|
};
|
|
|
|
int rds_ib_init(void)
|
|
{
|
|
int ret;
|
|
|
|
INIT_LIST_HEAD(&rds_ib_devices);
|
|
|
|
ret = ib_register_client(&rds_ib_client);
|
|
if (ret)
|
|
goto out;
|
|
|
|
ret = rds_ib_sysctl_init();
|
|
if (ret)
|
|
goto out_ibreg;
|
|
|
|
ret = rds_ib_recv_init();
|
|
if (ret)
|
|
goto out_sysctl;
|
|
|
|
ret = rds_trans_register(&rds_ib_transport);
|
|
if (ret)
|
|
goto out_recv;
|
|
|
|
rds_info_register_func(RDS_INFO_IB_CONNECTIONS, rds_ib_ic_info);
|
|
|
|
goto out;
|
|
|
|
out_recv:
|
|
rds_ib_recv_exit();
|
|
out_sysctl:
|
|
rds_ib_sysctl_exit();
|
|
out_ibreg:
|
|
rds_ib_unregister_client();
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|