Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e3aa31c5 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Roland Dreier
Browse files

IB/mthca: Don't cancel commands on a signal 



We have run into the following problem: if a task receives a signal
while in the process of e.g. destroying a resource (which could be
because the relevant file was closed) mthca could bail out from trying
to take a command interface semaphore without performing the
appropriate command to tell hardware that the resource is being
destroyed.

As a result we see messages like
 ib_mthca 0000:04:00.0: HW2SW_CQ failed (-4)

In this case, hardware could access the resource after the memory has
been freed, possibly causing memory corruption.

A simple solution is to replace down_interruptible() by down() in
command interface activation.

Signed-off-by: default avatarMichael S. Tsirkin <mst@mellanox.co.il>
[ It's also not safe to bail out on multicast table operations, since
  they may be invoked on the cleanup path too.  So use down() for
  mcg_table.sem too. ]
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent 8e9e5f4f

drivers/infiniband/hw/mthca/mthca_cmd.c

+3 −6
Original line number Diff line number Diff line
@@ -199,8 +199,7 @@ static int mthca_cmd_post(struct mthca_dev *dev, 
{

	int err = 0;



	if (down_interruptible(&dev->cmd.hcr_sem))

		return -EINTR;

	down(&dev->cmd.hcr_sem);



	if (event) {

		unsigned long end = jiffies + GO_BIT_TIMEOUT;
@@ -255,8 +254,7 @@ static int mthca_cmd_poll(struct mthca_dev *dev, 
	int err = 0;

	unsigned long end;



	if (down_interruptible(&dev->cmd.poll_sem))

		return -EINTR;

	down(&dev->cmd.poll_sem);



	err = mthca_cmd_post(dev, in_param,

			     out_param ? *out_param : 0,
@@ -333,8 +331,7 @@ static int mthca_cmd_wait(struct mthca_dev *dev, 
	int err = 0;

	struct mthca_cmd_context *context;



	if (down_interruptible(&dev->cmd.event_sem))

		return -EINTR;

	down(&dev->cmd.event_sem);



	spin_lock(&dev->cmd.context_lock);

	BUG_ON(dev->cmd.free_head < 0);

drivers/infiniband/hw/mthca/mthca_mcg.c

+4 −10
Original line number Diff line number Diff line
@@ -154,10 +154,7 @@ int mthca_multicast_attach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) 
		return PTR_ERR(mailbox);

	mgm = mailbox->buf;



	if (down_interruptible(&dev->mcg_table.sem)) {

		err = -EINTR;

		goto err_sem;

	}

	down(&dev->mcg_table.sem);



	err = find_mgm(dev, gid->raw, mailbox, &hash, &prev, &index);

	if (err)
@@ -242,7 +239,7 @@ int mthca_multicast_attach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) 
		mthca_free(&dev->mcg_table.alloc, index);

	}

	up(&dev->mcg_table.sem);

 err_sem:



	mthca_free_mailbox(dev, mailbox);

	return err;

}
@@ -263,10 +260,7 @@ int mthca_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) 
		return PTR_ERR(mailbox);

	mgm = mailbox->buf;



	if (down_interruptible(&dev->mcg_table.sem)) {

		err = -EINTR;

		goto err_sem;

	}

	down(&dev->mcg_table.sem);



	err = find_mgm(dev, gid->raw, mailbox, &hash, &prev, &index);

	if (err)
@@ -372,7 +366,7 @@ int mthca_multicast_detach(struct ib_qp *ibqp, union ib_gid *gid, u16 lid) 


 out:

	up(&dev->mcg_table.sem);

 err_sem:



	mthca_free_mailbox(dev, mailbox);

	return err;

}