Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp692977ybg; Mon, 1 Jun 2020 11:50:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwvubICI49UT8yTjx53sP4cRrvkq4kgE65Fp6LknKjS9EhKqsVFeC6dKxXbgP8X1pxgFwj1 X-Received: by 2002:a17:906:1558:: with SMTP id c24mr2784223ejd.48.1591037453159; Mon, 01 Jun 2020 11:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591037453; cv=none; d=google.com; s=arc-20160816; b=USY2Eu3m5QPJS6YWQu7QthjNgvvEHUvZrHDGmo92wqsvDbUfyFwOjLJmWvVTj5wetQ wns98obmy3YGwwmfjzNoFqajVix4H6ahGT1QFuoNdYfYxjo5oInYumdQUX8dHs9A7Rv+ i3shGHhJM4e17bJiN7uzQeq3bTiMQ3+SroyPAAtu5DERk/1Bl1/nA8/kGcSkRgg51CUG lgjKgLmB4LlxlJsT/eKRaOz/OjlN+IW9cefkFrpcBD819bVpxcvX593AX1D6si4Pzjei +JHTxvLmLvB1RG/1MK0DIT1cmVC+kRGN5OvGAXSZb+SYQxG7JhITQ1/RyPc91xu+infM oyWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eVIfxtIj9WiEJFeZ8JmzzzfYirQpKiWTpvFvFoo15nU=; b=FIXXDczxigsMMQL7yvsn2NfJUbCUFEdLFOqwaJTS2ORZJu1b4wN8hS70lq+BAzdLxw +QDtjYkByzgwJlIYgSgm8wQNiME1PjGhEMklKgYEajhsjNVk0BoFB4vuJyhtPmre2mnW HUV4PF1ZTZe6Els6hRlkpG8PUHYjDYgrcDK5WoU59ITZST6TnId+KYX9RlTsyIqeVw2W MJvB38IsNkbNANDJip5A44YYw40SYmtIgfjCU+EB5C8jWOvD6qbzTHvnY5bSVy3rw/Pk LKQMCW7aYxK5V6klQIBOUnopUxWVc/JkFFUV1h4xjOttVLUskLMwYOIhKb3R4+htfl6R qHLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D0whhk+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t9si196319eju.485.2020.06.01.11.50.30; Mon, 01 Jun 2020 11:50:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D0whhk+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728896AbgFASHX (ORCPT + 99 others); Mon, 1 Jun 2020 14:07:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:52534 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730496AbgFASGt (ORCPT ); Mon, 1 Jun 2020 14:06:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7633D2068D; Mon, 1 Jun 2020 18:06:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591034808; bh=ambusvve4PtBxJnzxj5h6RempnRnRW92w6VEnBVIJnE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D0whhk+VDYoOIEAWBZDAOMdR5oJ0AATKyBeLDUNZH2s21WeDsCZ5ArM3vc9nB/4pQ c0Z2FgVnyhhSH2JtZI7sZxLgdz4xyM1+kLlu0e3ic6NqySnCO8Pl70pX1CvRg1Sdpa L/FGdCLHp4ooD7Hawus/xOM6vJaZTIPKH528w2VA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Moshe Shemesh , Eran Ben Elisha , Saeed Mahameed Subject: [PATCH 5.4 009/142] net/mlx5: Add command entry handling completion Date: Mon, 1 Jun 2020 19:52:47 +0200 Message-Id: <20200601174038.975067779@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200601174037.904070960@linuxfoundation.org> References: <20200601174037.904070960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Moshe Shemesh [ Upstream commit 17d00e839d3b592da9659c1977d45f85b77f986a ] When FW response to commands is very slow and all command entries in use are waiting for completion we can have a race where commands can get timeout before they get out of the queue and handled. Timeout completion on uninitialized command will cause releasing command's buffers before accessing it for initialization and then we will get NULL pointer exception while trying access it. It may also cause releasing buffers of another command since we may have timeout completion before even allocating entry index for this command. Add entry handling completion to avoid this race. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Moshe Shemesh Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 14 ++++++++++++++ include/linux/mlx5/driver.h | 1 + 2 files changed, 15 insertions(+) --- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c @@ -861,6 +861,7 @@ static void cmd_work_handler(struct work int alloc_ret; int cmd_mode; + complete(&ent->handling); sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; down(sem); if (!ent->page_queue) { @@ -978,6 +979,11 @@ static int wait_func(struct mlx5_core_de struct mlx5_cmd *cmd = &dev->cmd; int err; + if (!wait_for_completion_timeout(&ent->handling, timeout) && + cancel_work_sync(&ent->work)) { + ent->ret = -ECANCELED; + goto out_err; + } if (cmd->mode == CMD_MODE_POLLING || ent->polling) { wait_for_completion(&ent->done); } else if (!wait_for_completion_timeout(&ent->done, timeout)) { @@ -985,12 +991,17 @@ static int wait_func(struct mlx5_core_de mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); } +out_err: err = ent->ret; if (err == -ETIMEDOUT) { mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in)); + } else if (err == -ECANCELED) { + mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); } mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", err, deliv_status_to_str(ent->status), ent->status); @@ -1026,6 +1037,7 @@ static int mlx5_cmd_invoke(struct mlx5_c ent->token = token; ent->polling = force_polling; + init_completion(&ent->handling); if (!callback) init_completion(&ent->done); @@ -1045,6 +1057,8 @@ static int mlx5_cmd_invoke(struct mlx5_c err = wait_func(dev, ent); if (err == -ETIMEDOUT) goto out; + if (err == -ECANCELED) + goto out_free; ds = ent->ts2 - ent->ts1; op = MLX5_GET(mbox_in, in->first.data, opcode); --- a/include/linux/mlx5/driver.h +++ b/include/linux/mlx5/driver.h @@ -756,6 +756,7 @@ struct mlx5_cmd_work_ent { struct delayed_work cb_timeout_work; void *context; int idx; + struct completion handling; struct completion done; struct mlx5_cmd *cmd; struct work_struct work;