mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-07 18:14:04 +00:00
44334bd97e
Another NULL dereference spotted by the Coverity checker (cid #1395): In case we can't alloc the vq_req, we goto bail1, where we call vq_req_free(c2dev, vq_req); which then dereferences vq_req. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
452 lines
9.8 KiB
C
452 lines
9.8 KiB
C
/*
|
|
* Copyright (c) 2005 Ammasso, Inc. All rights reserved.
|
|
* Copyright (c) 2005 Open Grid Computing, Inc. All rights reserved.
|
|
*
|
|
* This software is available to you under a choice of one of two
|
|
* licenses. You may choose to be licensed under the terms of the GNU
|
|
* General Public License (GPL) Version 2, available from the file
|
|
* COPYING in the main directory of this source tree, or the
|
|
* OpenIB.org BSD license below:
|
|
*
|
|
* Redistribution and use in source and binary forms, with or
|
|
* without modification, are permitted provided that the following
|
|
* conditions are met:
|
|
*
|
|
* - Redistributions of source code must retain the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer.
|
|
*
|
|
* - Redistributions in binary form must reproduce the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer in the documentation and/or other materials
|
|
* provided with the distribution.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE.
|
|
*
|
|
*/
|
|
#include "c2.h"
|
|
#include "c2_wr.h"
|
|
#include "c2_vq.h"
|
|
#include <rdma/iw_cm.h>
|
|
|
|
int c2_llp_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
|
|
{
|
|
struct c2_dev *c2dev = to_c2dev(cm_id->device);
|
|
struct ib_qp *ibqp;
|
|
struct c2_qp *qp;
|
|
struct c2wr_qp_connect_req *wr; /* variable size needs a malloc. */
|
|
struct c2_vq_req *vq_req;
|
|
int err;
|
|
|
|
ibqp = c2_get_qp(cm_id->device, iw_param->qpn);
|
|
if (!ibqp)
|
|
return -EINVAL;
|
|
qp = to_c2qp(ibqp);
|
|
|
|
/* Associate QP <--> CM_ID */
|
|
cm_id->provider_data = qp;
|
|
cm_id->add_ref(cm_id);
|
|
qp->cm_id = cm_id;
|
|
|
|
/*
|
|
* only support the max private_data length
|
|
*/
|
|
if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) {
|
|
err = -EINVAL;
|
|
goto bail0;
|
|
}
|
|
/*
|
|
* Set the rdma read limits
|
|
*/
|
|
err = c2_qp_set_read_limits(c2dev, qp, iw_param->ord, iw_param->ird);
|
|
if (err)
|
|
goto bail0;
|
|
|
|
/*
|
|
* Create and send a WR_QP_CONNECT...
|
|
*/
|
|
wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL);
|
|
if (!wr) {
|
|
err = -ENOMEM;
|
|
goto bail0;
|
|
}
|
|
|
|
vq_req = vq_req_alloc(c2dev);
|
|
if (!vq_req) {
|
|
err = -ENOMEM;
|
|
goto bail1;
|
|
}
|
|
|
|
c2_wr_set_id(wr, CCWR_QP_CONNECT);
|
|
wr->hdr.context = 0;
|
|
wr->rnic_handle = c2dev->adapter_handle;
|
|
wr->qp_handle = qp->adapter_handle;
|
|
|
|
wr->remote_addr = cm_id->remote_addr.sin_addr.s_addr;
|
|
wr->remote_port = cm_id->remote_addr.sin_port;
|
|
|
|
/*
|
|
* Move any private data from the callers's buf into
|
|
* the WR.
|
|
*/
|
|
if (iw_param->private_data) {
|
|
wr->private_data_length =
|
|
cpu_to_be32(iw_param->private_data_len);
|
|
memcpy(&wr->private_data[0], iw_param->private_data,
|
|
iw_param->private_data_len);
|
|
} else
|
|
wr->private_data_length = 0;
|
|
|
|
/*
|
|
* Send WR to adapter. NOTE: There is no synch reply from
|
|
* the adapter.
|
|
*/
|
|
err = vq_send_wr(c2dev, (union c2wr *) wr);
|
|
vq_req_free(c2dev, vq_req);
|
|
|
|
bail1:
|
|
kfree(wr);
|
|
bail0:
|
|
if (err) {
|
|
/*
|
|
* If we fail, release reference on QP and
|
|
* disassociate QP from CM_ID
|
|
*/
|
|
cm_id->provider_data = NULL;
|
|
qp->cm_id = NULL;
|
|
cm_id->rem_ref(cm_id);
|
|
}
|
|
return err;
|
|
}
|
|
|
|
int c2_llp_service_create(struct iw_cm_id *cm_id, int backlog)
|
|
{
|
|
struct c2_dev *c2dev;
|
|
struct c2wr_ep_listen_create_req wr;
|
|
struct c2wr_ep_listen_create_rep *reply;
|
|
struct c2_vq_req *vq_req;
|
|
int err;
|
|
|
|
c2dev = to_c2dev(cm_id->device);
|
|
if (c2dev == NULL)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* Allocate verbs request.
|
|
*/
|
|
vq_req = vq_req_alloc(c2dev);
|
|
if (!vq_req)
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* Build the WR
|
|
*/
|
|
c2_wr_set_id(&wr, CCWR_EP_LISTEN_CREATE);
|
|
wr.hdr.context = (u64) (unsigned long) vq_req;
|
|
wr.rnic_handle = c2dev->adapter_handle;
|
|
wr.local_addr = cm_id->local_addr.sin_addr.s_addr;
|
|
wr.local_port = cm_id->local_addr.sin_port;
|
|
wr.backlog = cpu_to_be32(backlog);
|
|
wr.user_context = (u64) (unsigned long) cm_id;
|
|
|
|
/*
|
|
* Reference the request struct. Dereferenced in the int handler.
|
|
*/
|
|
vq_req_get(c2dev, vq_req);
|
|
|
|
/*
|
|
* Send WR to adapter
|
|
*/
|
|
err = vq_send_wr(c2dev, (union c2wr *) & wr);
|
|
if (err) {
|
|
vq_req_put(c2dev, vq_req);
|
|
goto bail0;
|
|
}
|
|
|
|
/*
|
|
* Wait for reply from adapter
|
|
*/
|
|
err = vq_wait_for_reply(c2dev, vq_req);
|
|
if (err)
|
|
goto bail0;
|
|
|
|
/*
|
|
* Process reply
|
|
*/
|
|
reply =
|
|
(struct c2wr_ep_listen_create_rep *) (unsigned long) vq_req->reply_msg;
|
|
if (!reply) {
|
|
err = -ENOMEM;
|
|
goto bail1;
|
|
}
|
|
|
|
if ((err = c2_errno(reply)) != 0)
|
|
goto bail1;
|
|
|
|
/*
|
|
* Keep the adapter handle. Used in subsequent destroy
|
|
*/
|
|
cm_id->provider_data = (void*)(unsigned long) reply->ep_handle;
|
|
|
|
/*
|
|
* free vq stuff
|
|
*/
|
|
vq_repbuf_free(c2dev, reply);
|
|
vq_req_free(c2dev, vq_req);
|
|
|
|
return 0;
|
|
|
|
bail1:
|
|
vq_repbuf_free(c2dev, reply);
|
|
bail0:
|
|
vq_req_free(c2dev, vq_req);
|
|
return err;
|
|
}
|
|
|
|
|
|
int c2_llp_service_destroy(struct iw_cm_id *cm_id)
|
|
{
|
|
|
|
struct c2_dev *c2dev;
|
|
struct c2wr_ep_listen_destroy_req wr;
|
|
struct c2wr_ep_listen_destroy_rep *reply;
|
|
struct c2_vq_req *vq_req;
|
|
int err;
|
|
|
|
c2dev = to_c2dev(cm_id->device);
|
|
if (c2dev == NULL)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* Allocate verbs request.
|
|
*/
|
|
vq_req = vq_req_alloc(c2dev);
|
|
if (!vq_req)
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* Build the WR
|
|
*/
|
|
c2_wr_set_id(&wr, CCWR_EP_LISTEN_DESTROY);
|
|
wr.hdr.context = (unsigned long) vq_req;
|
|
wr.rnic_handle = c2dev->adapter_handle;
|
|
wr.ep_handle = (u32)(unsigned long)cm_id->provider_data;
|
|
|
|
/*
|
|
* reference the request struct. dereferenced in the int handler.
|
|
*/
|
|
vq_req_get(c2dev, vq_req);
|
|
|
|
/*
|
|
* Send WR to adapter
|
|
*/
|
|
err = vq_send_wr(c2dev, (union c2wr *) & wr);
|
|
if (err) {
|
|
vq_req_put(c2dev, vq_req);
|
|
goto bail0;
|
|
}
|
|
|
|
/*
|
|
* Wait for reply from adapter
|
|
*/
|
|
err = vq_wait_for_reply(c2dev, vq_req);
|
|
if (err)
|
|
goto bail0;
|
|
|
|
/*
|
|
* Process reply
|
|
*/
|
|
reply=(struct c2wr_ep_listen_destroy_rep *)(unsigned long)vq_req->reply_msg;
|
|
if (!reply) {
|
|
err = -ENOMEM;
|
|
goto bail0;
|
|
}
|
|
if ((err = c2_errno(reply)) != 0)
|
|
goto bail1;
|
|
|
|
bail1:
|
|
vq_repbuf_free(c2dev, reply);
|
|
bail0:
|
|
vq_req_free(c2dev, vq_req);
|
|
return err;
|
|
}
|
|
|
|
int c2_llp_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *iw_param)
|
|
{
|
|
struct c2_dev *c2dev = to_c2dev(cm_id->device);
|
|
struct c2_qp *qp;
|
|
struct ib_qp *ibqp;
|
|
struct c2wr_cr_accept_req *wr; /* variable length WR */
|
|
struct c2_vq_req *vq_req;
|
|
struct c2wr_cr_accept_rep *reply; /* VQ Reply msg ptr. */
|
|
int err;
|
|
|
|
ibqp = c2_get_qp(cm_id->device, iw_param->qpn);
|
|
if (!ibqp)
|
|
return -EINVAL;
|
|
qp = to_c2qp(ibqp);
|
|
|
|
/* Set the RDMA read limits */
|
|
err = c2_qp_set_read_limits(c2dev, qp, iw_param->ord, iw_param->ird);
|
|
if (err)
|
|
goto bail0;
|
|
|
|
/* Allocate verbs request. */
|
|
vq_req = vq_req_alloc(c2dev);
|
|
if (!vq_req) {
|
|
err = -ENOMEM;
|
|
goto bail0;
|
|
}
|
|
vq_req->qp = qp;
|
|
vq_req->cm_id = cm_id;
|
|
vq_req->event = IW_CM_EVENT_ESTABLISHED;
|
|
|
|
wr = kmalloc(c2dev->req_vq.msg_size, GFP_KERNEL);
|
|
if (!wr) {
|
|
err = -ENOMEM;
|
|
goto bail1;
|
|
}
|
|
|
|
/* Build the WR */
|
|
c2_wr_set_id(wr, CCWR_CR_ACCEPT);
|
|
wr->hdr.context = (unsigned long) vq_req;
|
|
wr->rnic_handle = c2dev->adapter_handle;
|
|
wr->ep_handle = (u32) (unsigned long) cm_id->provider_data;
|
|
wr->qp_handle = qp->adapter_handle;
|
|
|
|
/* Replace the cr_handle with the QP after accept */
|
|
cm_id->provider_data = qp;
|
|
cm_id->add_ref(cm_id);
|
|
qp->cm_id = cm_id;
|
|
|
|
cm_id->provider_data = qp;
|
|
|
|
/* Validate private_data length */
|
|
if (iw_param->private_data_len > C2_MAX_PRIVATE_DATA_SIZE) {
|
|
err = -EINVAL;
|
|
goto bail1;
|
|
}
|
|
|
|
if (iw_param->private_data) {
|
|
wr->private_data_length = cpu_to_be32(iw_param->private_data_len);
|
|
memcpy(&wr->private_data[0],
|
|
iw_param->private_data, iw_param->private_data_len);
|
|
} else
|
|
wr->private_data_length = 0;
|
|
|
|
/* Reference the request struct. Dereferenced in the int handler. */
|
|
vq_req_get(c2dev, vq_req);
|
|
|
|
/* Send WR to adapter */
|
|
err = vq_send_wr(c2dev, (union c2wr *) wr);
|
|
if (err) {
|
|
vq_req_put(c2dev, vq_req);
|
|
goto bail1;
|
|
}
|
|
|
|
/* Wait for reply from adapter */
|
|
err = vq_wait_for_reply(c2dev, vq_req);
|
|
if (err)
|
|
goto bail1;
|
|
|
|
/* Check that reply is present */
|
|
reply = (struct c2wr_cr_accept_rep *) (unsigned long) vq_req->reply_msg;
|
|
if (!reply) {
|
|
err = -ENOMEM;
|
|
goto bail1;
|
|
}
|
|
|
|
err = c2_errno(reply);
|
|
vq_repbuf_free(c2dev, reply);
|
|
|
|
if (!err)
|
|
c2_set_qp_state(qp, C2_QP_STATE_RTS);
|
|
bail1:
|
|
kfree(wr);
|
|
vq_req_free(c2dev, vq_req);
|
|
bail0:
|
|
if (err) {
|
|
/*
|
|
* If we fail, release reference on QP and
|
|
* disassociate QP from CM_ID
|
|
*/
|
|
cm_id->provider_data = NULL;
|
|
qp->cm_id = NULL;
|
|
cm_id->rem_ref(cm_id);
|
|
}
|
|
return err;
|
|
}
|
|
|
|
int c2_llp_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len)
|
|
{
|
|
struct c2_dev *c2dev;
|
|
struct c2wr_cr_reject_req wr;
|
|
struct c2_vq_req *vq_req;
|
|
struct c2wr_cr_reject_rep *reply;
|
|
int err;
|
|
|
|
c2dev = to_c2dev(cm_id->device);
|
|
|
|
/*
|
|
* Allocate verbs request.
|
|
*/
|
|
vq_req = vq_req_alloc(c2dev);
|
|
if (!vq_req)
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* Build the WR
|
|
*/
|
|
c2_wr_set_id(&wr, CCWR_CR_REJECT);
|
|
wr.hdr.context = (unsigned long) vq_req;
|
|
wr.rnic_handle = c2dev->adapter_handle;
|
|
wr.ep_handle = (u32) (unsigned long) cm_id->provider_data;
|
|
|
|
/*
|
|
* reference the request struct. dereferenced in the int handler.
|
|
*/
|
|
vq_req_get(c2dev, vq_req);
|
|
|
|
/*
|
|
* Send WR to adapter
|
|
*/
|
|
err = vq_send_wr(c2dev, (union c2wr *) & wr);
|
|
if (err) {
|
|
vq_req_put(c2dev, vq_req);
|
|
goto bail0;
|
|
}
|
|
|
|
/*
|
|
* Wait for reply from adapter
|
|
*/
|
|
err = vq_wait_for_reply(c2dev, vq_req);
|
|
if (err)
|
|
goto bail0;
|
|
|
|
/*
|
|
* Process reply
|
|
*/
|
|
reply = (struct c2wr_cr_reject_rep *) (unsigned long)
|
|
vq_req->reply_msg;
|
|
if (!reply) {
|
|
err = -ENOMEM;
|
|
goto bail0;
|
|
}
|
|
err = c2_errno(reply);
|
|
/*
|
|
* free vq stuff
|
|
*/
|
|
vq_repbuf_free(c2dev, reply);
|
|
|
|
bail0:
|
|
vq_req_free(c2dev, vq_req);
|
|
return err;
|
|
}
|