svn commit: r341928 - in stable/11/sys/dev/mlx5: . mlx5_ib

Hans Petter Selasky hselasky at FreeBSD.org
Wed Dec 12 12:07:42 UTC 2018 

Author: hselasky
Date: Wed Dec 12 12:07:39 2018
New Revision: 341928
URL: https://svnweb.freebsd.org/changeset/base/341928

Log:
  MFC r341557:
  mlx5: Add SRQ fixes from Linux
  
  Combine multiple fixes from Linux to SRQ.
  Linux commits:
  c73b791 IB/mlx5: Assign SRQ type earlier
  0fd27a8 IB/mlx5: Fix out-of-bound access
  c2b37f7 IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
  d63c467 RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
  
  Sponsored by:   Mellanox Technologies

Modified:
  stable/11/sys/dev/mlx5/driver.h
  stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_srq.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/mlx5/driver.h
==============================================================================
--- stable/11/sys/dev/mlx5/driver.h	Wed Dec 12 12:07:21 2018	(r341927)
+++ stable/11/sys/dev/mlx5/driver.h	Wed Dec 12 12:07:39 2018	(r341928)
@@ -460,8 +460,8 @@ struct mlx5_core_srq {
 	struct mlx5_core_rsc_common	common; /* must be first */
 	u32				srqn;
 	int				max;
-	int				max_gs;
-	int				max_avail_gather;
+	size_t				max_gs;
+	size_t				max_avail_gather;
 	int				wqe_shift;
 	void				(*event)(struct mlx5_core_srq *, int);
 	atomic_t			refcount;

Modified: stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_srq.c
==============================================================================
--- stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_srq.c	Wed Dec 12 12:07:21 2018	(r341927)
+++ stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_srq.c	Wed Dec 12 12:07:39 2018	(r341928)
@@ -159,8 +159,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, 
 	int err;
 	int i;
 	struct mlx5_wqe_srq_next_seg *next;
-	int page_shift;
-	int npages;
 
 	err = mlx5_db_alloc(dev->mdev, &srq->db);
 	if (err) {
@@ -173,7 +171,6 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, 
 		err = -ENOMEM;
 		goto err_db;
 	}
-	page_shift = srq->buf.page_shift;
 
 	srq->head    = 0;
 	srq->tail    = srq->msrq.max - 1;
@@ -185,10 +182,8 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, 
 			cpu_to_be16((i + 1) & (srq->msrq.max - 1));
 	}
 
-	npages = DIV_ROUND_UP(srq->buf.npages, 1 << (page_shift - PAGE_SHIFT));
-	mlx5_ib_dbg(dev, "buf_size %d, page_shift %d, npages %d, calc npages %d\n",
-		    buf_size, page_shift, srq->buf.npages, npages);
-	in->pas = mlx5_vzalloc(sizeof(*in->pas) * npages);
+	mlx5_ib_dbg(dev, "srq->buf.page_shift = %d\n", srq->buf.page_shift);
+	in->pas = mlx5_vzalloc(sizeof(*in->pas) * srq->buf.npages);
 	if (!in->pas) {
 		err = -ENOMEM;
 		goto err_buf;
@@ -204,7 +199,7 @@ static int create_srq_kernel(struct mlx5_ib_dev *dev, 
 	}
 	srq->wq_sig = !!srq_signature;
 
-	in->log_page_size = page_shift - MLX5_ADAPTER_PAGE_SHIFT;
+	in->log_page_size = srq->buf.page_shift - MLX5_ADAPTER_PAGE_SHIFT;
 	if (MLX5_CAP_GEN(dev->mdev, cqe_version) == MLX5_CQE_VERSION_V1 &&
 	    in->type == IB_SRQT_XRC)
 		in->user_index = MLX5_IB_DEFAULT_UIDX;
@@ -242,8 +237,8 @@ struct ib_srq *mlx5_ib_create_srq(struct ib_pd *pd,
 {
 	struct mlx5_ib_dev *dev = to_mdev(pd->device);
 	struct mlx5_ib_srq *srq;
-	int desc_size;
-	int buf_size;
+	size_t desc_size;
+	size_t buf_size;
 	int err;
 	struct mlx5_srq_attr in = {0};
 	__u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
@@ -267,15 +262,25 @@ struct ib_srq *mlx5_ib_create_srq(struct ib_pd *pd,
 
 	desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
 		    srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
+	if (desc_size == 0 || srq->msrq.max_gs > desc_size) {
+		err = -EINVAL;
+		goto err_srq;
+	}
 	desc_size = roundup_pow_of_two(desc_size);
-	desc_size = max_t(int, 32, desc_size);
+	desc_size = max_t(size_t, 32, desc_size);
+	if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) {
+		err = -EINVAL;
+		goto err_srq;
+	}
 	srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) /
 		sizeof(struct mlx5_wqe_data_seg);
 	srq->msrq.wqe_shift = ilog2(desc_size);
 	buf_size = srq->msrq.max * desc_size;
-	mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n",
-		    desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs,
-		    srq->msrq.max_avail_gather);
+	if (buf_size < desc_size) {
+		err = -EINVAL;
+		goto err_srq;
+	}
+	in.type = init_attr->srq_type;
 
 	if (pd->uobject)
 		err = create_srq_user(pd, srq, &in, udata, buf_size);
@@ -288,7 +293,6 @@ struct ib_srq *mlx5_ib_create_srq(struct ib_pd *pd,
 		goto err_srq;
 	}
 
-	in.type = init_attr->srq_type;
 	in.log_size = ilog2(srq->msrq.max);
 	in.wqe_shift = srq->msrq.wqe_shift - 4;
 	if (srq->wq_sig)

More information about the svn-src-stable-11 mailing list