Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3310655imu; Sun, 11 Nov 2018 12:06:51 -0800 (PST) X-Google-Smtp-Source: AJdET5ePQSrHgOeIsZekiMuQ0fYdr8NttJ6fIFT8F0CfIMJv7jlVLBZm2xXK54DLPbEjcCQOFV9i X-Received: by 2002:a63:6150:: with SMTP id v77mr14770979pgb.266.1541966811088; Sun, 11 Nov 2018 12:06:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541966811; cv=none; d=google.com; s=arc-20160816; b=fE0PbBd6x6JE1JU+BSE+eI7EaVGXDI1CzZLBvMLJBt99S6FyxPT5PiA2QwByUTJPk8 P0Kna6JW0S8Jkf4UiJObKKhaCwjlMuzZeKjlf8j2w2XBFQhXNa40mC3SAMbygA1GDtJ6 X9o3a54/W+ujrBTfpTo6iymEvPBUeymVtiYQUujnIi5PImvHOQIS8YJWuYpWS683RH3+ 9MdVTgU98dn9v65A0SI3SYUg24ESXfFrCpm/21mJz32lHHpSOpif2fG/uVenfeT4C03h +nIPtn6EPDev76WperJXW2Rm6QdXFErlmfw2tbPkJRPskdtydc4XvM2As5RJ9hgnVfJL X52g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=aJkQY8iyBAOOBnLTPrJfut7megi/2fAWGinQstVSQjc=; b=rGpJxzMbj2OgfYYuqqp23bx72SYs9Pq+lB9dv1UnwSeOqZDHs2LtPbBdguoAwlf/gf m9KskV4UgqPUjuclK2Vbaoq1oqx8k6vNDk2Lrp+UTKlFVrrv4Q0pbTkNs92tb9BVNq7j g8DvHqaldHCOk7M059V1WE8n2bq/SCHvAdB6zrXhd4BH/TjRjaHx8ua4JssG+8W4M3KG kut8Ea/t3Nx9kJskBX6RCngpx9L9rrVfJPHNhbLvxTEmM58U7PI/aH+P7ZSjJ8jhG+rh ShoyaJkDEYU/6serTKa+eZ5CR44FdmFWk2D0aVHGNdrWx654Ymwus1kvgwRXoJHLi5iB 86mA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p9-v6si16864509pfe.76.2018.11.11.12.06.35; Sun, 11 Nov 2018 12:06:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731133AbeKLFyH (ORCPT + 99 others); Mon, 12 Nov 2018 00:54:07 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:51702 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726508AbeKLFyH (ORCPT ); Mon, 12 Nov 2018 00:54:07 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsw-0000oN-D1; Sun, 11 Nov 2018 19:59:06 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsU-0001e7-O2; Sun, 11 Nov 2018 19:58:38 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Saeed Mahameed" , "Alex Vesker" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Alex Vesker commit d412c31dae053bf30a1bc15582a9990df297a660 upstream. The command interface can work in two modes: Events and Polling. In the general case, each time we invoke a command, a work is queued to handle it. When working in events, the interrupt handler completes the command execution. On the other hand, when working in polling mode, the work itself completes it. Due to a bug in the work handler, a command could have been completed by the interrupt handler, while the work handler hasn't finished yet, causing the it to complete once again if the command interface mode was changed from Events to polling after the interrupt handler was called. mlx5_unload_one() mlx5_stop_eqs() // Destroy the EQ before cmd EQ ...cmd_work_handler() write_doorbell() --> EVENT_TYPE_CMD mlx5_cmd_comp_handler() // First free free_ent(cmd, ent->idx) complete(&ent->done) <-- mlx5_stop_eqs //cmd was complete // move to polling before destroying the last cmd EQ mlx5_cmd_use_polling() cmd->mode = POLL; --> cmd_work_handler (continues) if (cmd->mode == POLL) mlx5_cmd_comp_handler() // Double free The solution is to store the cmd->mode before writing the doorbell. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Alex Vesker Signed-off-by: Saeed Mahameed [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c @@ -560,6 +560,7 @@ static void cmd_work_handler(struct work struct mlx5_cmd_layout *lay; struct semaphore *sem; int alloc_ret; + int cmd_mode; sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; down(sem); @@ -602,6 +603,7 @@ static void cmd_work_handler(struct work set_signature(ent, !cmd->checksum_disabled); dump_command(dev, ent, 1); ktime_get_ts(&ent->ts1); + cmd_mode = cmd->mode; if (ent->callback) schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); @@ -611,7 +613,7 @@ static void cmd_work_handler(struct work iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell); mlx5_core_dbg(dev, "write 0x%x to command doorbell\n", 1 << ent->idx); mmiowb(); - if (cmd->mode == CMD_MODE_POLLING) { + if (cmd_mode == CMD_MODE_POLLING) { poll_timeout(ent); /* make sure we read the descriptor after ownership is SW */ rmb();