| Message ID | 20240201081009.1109442-1-neelx@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:693c:2685:b0:106:209c:c626 with SMTP id mn5csp288221dyc;
Thu, 1 Feb 2024 00:12:03 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFpvR4YT9Lda6b7X27hv9ChAT5LkkCfEX+qGJ2MZ5XBSBgDeytqnEGq+u2ewOKPCvJ4jzlH
X-Received: by 2002:a17:906:1c8b:b0:a35:dd57:e4cf with SMTP id
g11-20020a1709061c8b00b00a35dd57e4cfmr3215706ejh.67.1706775123052;
Thu, 01 Feb 2024 00:12:03 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706775123; cv=pass;
d=google.com; s=arc-20160816;
b=DRVX/9JvZTNvig26LLJx2UZjXuy+GFcA7oQXT8WLRIoK/sdEC1sx/7rHKzguYR7IMY
O7s8ogw7CE3C78a7jiQP/dngGvdnKk/iromvzf1ifts9Pzxj2dlDHTNQxifDsZb8rGOM
utu49TeCR6DI7Xs0icTBeFuEVXkMu7ffudk5LomJD+kCF58KDfsuuauuzJuZ0o+ritGr
4o+0j/7T7GpYpYj7gFVChXgsL8PZIv0din7Tc3fYszZfWq7xOji9tC7B54aWrtJm36qe
sYl8IbeNNNQNNn11Nr3n+RqwqYtaxqm3cf7rr+iWqNTXy7LLBjUa/3LRq70fDlvzfP9H
14KA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=TQDdRV2tMPG+6nfJCtzHbTe1EEi3qaM2yI8qVm5kEZY=;
fh=+0GmSPhH2uHXp2zLTaqm0BRVrsJeAXynP4ruKZgT72w=;
b=ELhKiChMpV+yBzksHfDRqJECTaSDIpNYqG7DPUffkImu00hIGenGTVIIQEVbNHfClx
9BvHMa9KSc3xP7bGrwted0E4uNvbSN2v49HUzdBR8pFE1iAfz3P6bD1IqwKa2yrsFdv7
UFSglfqYeirt4QVDCyIeQ7RWZLLLqubitrJuwWX6mvECFHrH3U3L23Phy/Xs9CyVGjYB
RIDheE7qMsXpE4eI1VuRUIs+wBAlEmUlNRNtWbCHbIfIKKqezm65vwrLnV/CtUEQdWLh
Fx8X0uX2u/PjQTqJioiXcL8kBZj+klDF+CFF0FursMA5IOATfuMsKUREsXNotBU8ki+S
tmOQ==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=HXMHlcnM;
arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass
dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
spf=pass (google.com: domain of
linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
X-Forwarded-Encrypted: i=1;
AJvYcCXEA5XymdRLBMAeDFBN4YqN/w2Waj0hDBRH+vZNA0UolZZ4jaw7fHWROQpESZNHWQyM54tuSGq8pFj3l9KxRBiv8wDjyw==
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
[2604:1380:4601:e00::3])
by mx.google.com with ESMTPS id
l8-20020a17090612c800b00a27c14be748si6456365ejb.920.2024.02.01.00.12.02
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 01 Feb 2024 00:12:03 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=HXMHlcnM;
arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass
dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
spf=pass (google.com: domain of
linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-47761-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id 68D971F25902
for <ouuuleilei@gmail.com>; Thu, 1 Feb 2024 08:11:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 3769C159590;
Thu, 1 Feb 2024 08:11:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
header.b="HXMHlcnM"
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA5C3158D65
for <linux-kernel@vger.kernel.org>; Thu, 1 Feb 2024 08:11:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706775082; cv=none;
b=LK2hdK4d8Y7H5buCRMhzCS8+GQk3SR/wYfHWvHPABiTOhzEAWR0OPDwsVOQ3uHSv4Fcay8frj6Vl3MlGOM9aeVtH0/UVIJsY42inlqJqP4BLyCOPVoHsqy0DIHjawFso9U1lr8y4S1wGbzVnSzUAAVh/ZVBLP+LBFmO6+5VM5O8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706775082; c=relaxed/simple;
bh=y1w5sJ8ktbHEe0F3UYcqGu1KS6iUPE0CBc0UPiD+WCw=;
h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version;
b=J/NH9M4c2T8vUQKzYlDyrLr4Xi5eGQLTtpdfjI8/s9SarXPbTFatZK5LKtKs/BZBVaNZD05RzTVnhqEHaKaPyelGdmI1KOSCpXhsz/blXim1/pR6tt098rBVvHaGDn6ntqIzE/LkOPluhhlb/3JYUNteZRQpg/UD3uIqRUZUG14=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=redhat.com;
spf=pass smtp.mailfrom=redhat.com;
dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
header.b=HXMHlcnM; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1706775079;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=TQDdRV2tMPG+6nfJCtzHbTe1EEi3qaM2yI8qVm5kEZY=;
b=HXMHlcnMSwyP8Rco1RThmL9FOcPHMvGizTzcZzwXRzshuUcOuYjv+Ys0bbC7fz3Am/+YAr
y0Sy8IXDJDKNgnkVDK58w4hnqktToBT3anjWibY9F44kXeFemBdRh8bYFgt6QHbM7CXQnD
PbMP74Hn9h0raDAsFOwSEBHGdX/+D9c=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-582-XHBq3RvKOoKY9F01Y5fe4w-1; Thu,
01 Feb 2024 03:11:14 -0500
X-MC-Unique: XHBq3RvKOoKY9F01Y5fe4w-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
[10.11.54.10])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 09E542932486;
Thu, 1 Feb 2024 08:11:14 +0000 (UTC)
Received: from metal.redhat.com (unknown [10.45.224.66])
by smtp.corp.redhat.com (Postfix) with ESMTP id 22FDE492BE2;
Thu, 1 Feb 2024 08:11:11 +0000 (UTC)
From: Daniel Vacek <neelx@redhat.com>
To: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Leon Romanovsky <leon@kernel.org>,
Patrick Kelsey <pat.kelsey@cornelisnetworks.com>,
Brendan Cunningham <bcunningham@cornelisnetworks.com>
Cc: Daniel Vacek <neelx@redhat.com>,
stable@vger.kernel.org,
Mats Kronberg <kronberg@nsc.liu.se>,
linux-rdma@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v2] IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (take
two)
Date: Thu, 1 Feb 2024 09:10:08 +0100
Message-ID: <20240201081009.1109442-1-neelx@redhat.com>
In-Reply-To: <20240126152125.869509-1-neelx@redhat.com>
References: <20240126152125.869509-1-neelx@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789167977439135068
X-GMAIL-MSGID: 1789683431633254080
|
| Series |
[v2] IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (take two)
|
|
Commit Message
Daniel Vacek
Feb. 1, 2024, 8:10 a.m. UTC
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array
is not properly expanded and the packet will overflow into the
container structure. This results in a panic when the send completion
runs. The exact panic varies depending on what elements of the
container structure get corrupted. The fix is to use the correct
expression in _pad_sdma_tx_descs() to test the need to expand the
descriptor array.
With this patch the crashes are no longer reproducible and the machine is stable.
Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors")
Cc: stable@vger.kernel.org
Reported-by: Mats Kronberg <kronberg@nsc.liu.se>
Tested-by: Mats Kronberg <kronberg@nsc.liu.se>
Signed-off-by: Daniel Vacek <neelx@redhat.com>
---
Changes in v2:
- Dropped the unrelated cleanups.
- Improved commit message as suggested by Dennis Dalessandro
drivers/infiniband/hw/hfi1/sdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Thu, 01 Feb 2024 09:10:08 +0100, Daniel Vacek wrote: > Unfortunately the commit `fd8958efe877` introduced another error > causing the `descs` array to overflow. This reults in further crashes > easily reproducible by `sendmsg` system call. > > [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI > [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] > -- > [ 1080.974535] Call Trace: > [ 1080.976990] <TASK> > [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] > [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] > [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] > [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] > [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 > -- > [ 1081.148347] __sys_sendmsg+0x59/0xa0 > > [...] Applied, thanks! [1/1] IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (take two) https://git.kernel.org/rdma/rdma/c/be39e8dcb411fb Best regards,
diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c index 6e5ac2023328a..b67d23b1f2862 100644 --- a/drivers/infiniband/hw/hfi1/sdma.c +++ b/drivers/infiniband/hw/hfi1/sdma.c @@ -3158,7 +3158,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) { int rval = 0; - if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + if ((unlikely(tx->num_desc == tx->desc_limit))) { rval = _extend_sdma_tx_descs(dd, tx); if (rval) { __sdma_txclean(dd, tx);