2021-09-08 08:20:55

by Niklas Schnelle

Subject: [PATCH RESEND 1/2] RDMA/mlx5: Fix number of allocated XLT entries

In commit 8010d74b9965b ("RDMA/mlx5: Split the WR setup out of
mlx5_ib_update_xlt()") the allocation logic was split out of
mlx5_ib_update_xlt() and the logic was changed to enable better OOM
handling. Sadly this change introduced a miscalculation of the number of
entries that were actually allocated when under memory pressure where it
can actually become 0 which on s390 lets dma_map_single() fail.

It can also lead to corruption of the free pages list when the wrong
number of entries is used in the calculation of sg->length which is used
as argument for free_pages().

Fix this by using the allocation size instead of misusing
get_order(size).

Cc: [email protected]
Fixes: 8010d74b9965b ("RDMA/mlx5: Split the WR setup out of mlx5_ib_update_xlt()")
Signed-off-by: Niklas Schnelle <[email protected]>
---
drivers/infiniband/hw/mlx5/mr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
index 3f1c5a4f158b..19713cdd7b78 100644
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -1024,7 +1024,7 @@ static void *mlx5_ib_alloc_xlt(size_t *nents, size_t ent_size, gfp_t gfp_mask)

if (size > MLX5_SPARE_UMR_CHUNK) {
size = MLX5_SPARE_UMR_CHUNK;
- *nents = get_order(size) / ent_size;
+ *nents = size / ent_size;
res = (void *)__get_free_pages(gfp_mask | __GFP_NOWARN,
get_order(size));
if (res)
--
2.25.1

2021-09-08 11:50:09

by Jason Gunthorpe

Subject: Re: [PATCH RESEND 1/2] RDMA/mlx5: Fix number of allocated XLT entries

On Wed, Sep 08, 2021 at 10:18:48AM +0200, Niklas Schnelle wrote:
> In commit 8010d74b9965b ("RDMA/mlx5: Split the WR setup out of
> mlx5_ib_update_xlt()") the allocation logic was split out of
> mlx5_ib_update_xlt() and the logic was changed to enable better OOM
> handling. Sadly this change introduced a miscalculation of the number of
> entries that were actually allocated when under memory pressure where it
> can actually become 0 which on s390 lets dma_map_single() fail.
>
> It can also lead to corruption of the free pages list when the wrong
> number of entries is used in the calculation of sg->length which is used
> as argument for free_pages().
>
> Fix this by using the allocation size instead of misusing
> get_order(size).
>
> Cc: [email protected]
> Fixes: 8010d74b9965b ("RDMA/mlx5: Split the WR setup out of mlx5_ib_update_xlt()")
> Signed-off-by: Niklas Schnelle <[email protected]>
> ---
> drivers/infiniband/hw/mlx5/mr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Both patches applied to for-rc, thanks

Jason