RDMA/rxe: Fix ref error in rxe_av.c

[ Upstream commit 63221acb0c63141cc7650f8eefb148337061e6db ]

The commit referenced below can take a reference to the AH which is never
dropped. This only happens in the UD request path. This patch optionally
passes that AH back to the caller so that it can hold the reference while
the AV is being accessed and then drop it. Code to do this is added to
rxe_req.c. The AV is also passed to rxe_prepare in rxe_net.c as an
optimization.

Fixes: e2fe06c90806 ("RDMA/rxe: Lookup kernel AH from ah index in UD WQEs")
Link: https://lore.kernel.org/r/20220304000808.225811-2-rpearsonhpe@gmail.com
Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/infiniband/sw/rxe/rxe_av.c b/drivers/infiniband/sw/rxe/rxe_av.c
index 38c7b6fb39d70256826cee71bf0b09c72730a86c..360a567159fe5a11de9ef059ac11d17266296395 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_av.c
+++ b/drivers/infiniband/sw/rxe/rxe_av.c
@@ -99,11 +99,14 @@ void rxe_av_fill_ip_info(struct rxe_av *av, struct rdma_ah_attr *attr)
        av->network_type = type;
 }
 
-struct rxe_av *rxe_get_av(struct rxe_pkt_info *pkt)
+struct rxe_av *rxe_get_av(struct rxe_pkt_info *pkt, struct rxe_ah **ahp)
 {
        struct rxe_ah *ah;
        u32 ah_num;
 
+       if (ahp)
+               *ahp = NULL;
+
        if (!pkt || !pkt->qp)
                return NULL;
 
@@ -117,10 +120,22 @@ struct rxe_av *rxe_get_av(struct rxe_pkt_info *pkt)
        if (ah_num) {
                /* only new user provider or kernel client */
                ah = rxe_pool_get_index(&pkt->rxe->ah_pool, ah_num);
-               if (!ah || ah->ah_num != ah_num || rxe_ah_pd(ah) != pkt->qp->pd) {
+               if (!ah) {
                        pr_warn("Unable to find AH matching ah_num\n");
                        return NULL;
                }
+
+               if (rxe_ah_pd(ah) != pkt->qp->pd) {
+                       pr_warn("PDs don't match for AH and QP\n");
+                       rxe_drop_ref(ah);
+                       return NULL;
+               }
+
+               if (ahp)
+                       *ahp = ah;
+               else
+                       rxe_drop_ref(ah);
+
                return &ah->av;
        }
 

diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h
index 1ca43b859d806ce0058280a65233b2ba032f0241..42234744dadd44fe4f9408b9224416dbac0ee976 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_loc.h
+++ b/drivers/infiniband/sw/rxe/rxe_loc.h
@@ -19,7 +19,7 @@ void rxe_av_to_attr(struct rxe_av *av, struct rdma_ah_attr *attr);
 
 void rxe_av_fill_ip_info(struct rxe_av *av, struct rdma_ah_attr *attr);
 
-struct rxe_av *rxe_get_av(struct rxe_pkt_info *pkt);
+struct rxe_av *rxe_get_av(struct rxe_pkt_info *pkt, struct rxe_ah **ahp);
 
 /* rxe_cq.c */
 int rxe_cq_chk_attr(struct rxe_dev *rxe, struct rxe_cq *cq,
@@ -102,7 +102,8 @@ void rxe_mw_cleanup(struct rxe_pool_entry *arg);
 /* rxe_net.c */
 struct sk_buff *rxe_init_packet(struct rxe_dev *rxe, struct rxe_av *av,
                                int paylen, struct rxe_pkt_info *pkt);
-int rxe_prepare(struct rxe_pkt_info *pkt, struct sk_buff *skb);
+int rxe_prepare(struct rxe_av *av, struct rxe_pkt_info *pkt,
+               struct sk_buff *skb);
 int rxe_xmit_packet(struct rxe_qp *qp, struct rxe_pkt_info *pkt,
                    struct sk_buff *skb);
 const char *rxe_parent_name(struct rxe_dev *rxe, unsigned int port_num);

diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 2cb810cb890a5108c2bfdb8d4b928fc7944c5b85..456e960cacd70af2f402f71d0dea28468693b19d 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -293,13 +293,13 @@ static void prepare_ipv6_hdr(struct dst_entry *dst, struct sk_buff *skb,
        ip6h->payload_len = htons(skb->len - sizeof(*ip6h));
 }
 
-static int prepare4(struct rxe_pkt_info *pkt, struct sk_buff *skb)
+static int prepare4(struct rxe_av *av, struct rxe_pkt_info *pkt,
+                   struct sk_buff *skb)
 {
        struct rxe_qp *qp = pkt->qp;
        struct dst_entry *dst;
        bool xnet = false;
        __be16 df = htons(IP_DF);
-       struct rxe_av *av = rxe_get_av(pkt);
        struct in_addr *saddr = &av->sgid_addr._sockaddr_in.sin_addr;
        struct in_addr *daddr = &av->dgid_addr._sockaddr_in.sin_addr;
 
@@ -319,11 +319,11 @@ static int prepare4(struct rxe_pkt_info *pkt, struct sk_buff *skb)
        return 0;
 }
 
-static int prepare6(struct rxe_pkt_info *pkt, struct sk_buff *skb)
+static int prepare6(struct rxe_av *av, struct rxe_pkt_info *pkt,
+                   struct sk_buff *skb)
 {
        struct rxe_qp *qp = pkt->qp;
        struct dst_entry *dst;
-       struct rxe_av *av = rxe_get_av(pkt);
        struct in6_addr *saddr = &av->sgid_addr._sockaddr_in6.sin6_addr;
        struct in6_addr *daddr = &av->dgid_addr._sockaddr_in6.sin6_addr;
 
@@ -344,16 +344,17 @@ static int prepare6(struct rxe_pkt_info *pkt, struct sk_buff *skb)
        return 0;
 }
 
-int rxe_prepare(struct rxe_pkt_info *pkt, struct sk_buff *skb)
+int rxe_prepare(struct rxe_av *av, struct rxe_pkt_info *pkt,
+               struct sk_buff *skb)
 {
        int err = 0;
 
        if (skb->protocol == htons(ETH_P_IP))
-               err = prepare4(pkt, skb);
+               err = prepare4(av, pkt, skb);
        else if (skb->protocol == htons(ETH_P_IPV6))
-               err = prepare6(pkt, skb);
+               err = prepare6(av, pkt, skb);
 
-       if (ether_addr_equal(skb->dev->dev_addr, rxe_get_av(pkt)->dmac))
+       if (ether_addr_equal(skb->dev->dev_addr, av->dmac))
                pkt->mask |= RXE_LOOPBACK_MASK;
 
        return err;

diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
index 79ed4ca2fe2c453cb8e622007f9b005765279eaa..ae2a02f3d3351f94c75502f9c6124131ec603c05 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_req.c
+++ b/drivers/infiniband/sw/rxe/rxe_req.c
@@ -361,6 +361,7 @@ static inline int get_mtu(struct rxe_qp *qp)
 }
 
 static struct sk_buff *init_req_packet(struct rxe_qp *qp,
+                                      struct rxe_av *av,
                                       struct rxe_send_wqe *wqe,
                                       int opcode, u32 payload,
                                       struct rxe_pkt_info *pkt)
@@ -368,7 +369,6 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp,
        struct rxe_dev          *rxe = to_rdev(qp->ibqp.device);
        struct sk_buff          *skb;
        struct rxe_send_wr      *ibwr = &wqe->wr;
-       struct rxe_av           *av;
        int                     pad = (-payload) & 0x3;
        int                     paylen;
        int                     solicited;
@@ -378,21 +378,9 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp,
 
        /* length from start of bth to end of icrc */
        paylen = rxe_opcode[opcode].length + payload + pad + RXE_ICRC_SIZE;
-
-       /* pkt->hdr, port_num and mask are initialized in ifc layer */
-       pkt->rxe        = rxe;
-       pkt->opcode     = opcode;
-       pkt->qp         = qp;
-       pkt->psn        = qp->req.psn;
-       pkt->mask       = rxe_opcode[opcode].mask;
-       pkt->paylen     = paylen;
-       pkt->wqe        = wqe;
+       pkt->paylen = paylen;
 
        /* init skb */
-       av = rxe_get_av(pkt);
-       if (!av)
-               return NULL;
-
        skb = rxe_init_packet(rxe, av, paylen, pkt);
        if (unlikely(!skb))
                return NULL;
@@ -453,13 +441,13 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp,
        return skb;
 }
 
-static int finish_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
-                      struct rxe_pkt_info *pkt, struct sk_buff *skb,
-                      u32 paylen)
+static int finish_packet(struct rxe_qp *qp, struct rxe_av *av,
+                        struct rxe_send_wqe *wqe, struct rxe_pkt_info *pkt,
+                        struct sk_buff *skb, u32 paylen)
 {
        int err;
 
-       err = rxe_prepare(pkt, skb);
+       err = rxe_prepare(av, pkt, skb);
        if (err)
                return err;
 
@@ -614,6 +602,7 @@ static int rxe_do_local_ops(struct rxe_qp *qp, struct rxe_send_wqe *wqe)
 int rxe_requester(void *arg)
 {
        struct rxe_qp *qp = (struct rxe_qp *)arg;
+       struct rxe_dev *rxe = to_rdev(qp->ibqp.device);
        struct rxe_pkt_info pkt;
        struct sk_buff *skb;
        struct rxe_send_wqe *wqe;
@@ -625,6 +614,8 @@ int rxe_requester(void *arg)
        struct rxe_send_wqe rollback_wqe;
        u32 rollback_psn;
        struct rxe_queue *q = qp->sq.queue;
+       struct rxe_ah *ah;
+       struct rxe_av *av;
 
        rxe_add_ref(qp);
 
@@ -711,14 +702,28 @@ next_wqe:
                payload = mtu;
        }
 
-       skb = init_req_packet(qp, wqe, opcode, payload, &pkt);
+       pkt.rxe = rxe;
+       pkt.opcode = opcode;
+       pkt.qp = qp;
+       pkt.psn = qp->req.psn;
+       pkt.mask = rxe_opcode[opcode].mask;
+       pkt.wqe = wqe;
+
+       av = rxe_get_av(&pkt, &ah);
+       if (unlikely(!av)) {
+               pr_err("qp#%d Failed no address vector\n", qp_num(qp));
+               wqe->status = IB_WC_LOC_QP_OP_ERR;
+               goto err_drop_ah;
+       }
+
+       skb = init_req_packet(qp, av, wqe, opcode, payload, &pkt);
        if (unlikely(!skb)) {
                pr_err("qp#%d Failed allocating skb\n", qp_num(qp));
                wqe->status = IB_WC_LOC_QP_OP_ERR;
-               goto err;
+               goto err_drop_ah;
        }
 
-       ret = finish_packet(qp, wqe, &pkt, skb, payload);
+       ret = finish_packet(qp, av, wqe, &pkt, skb, payload);
        if (unlikely(ret)) {
                pr_debug("qp#%d Error during finish packet\n", qp_num(qp));
                if (ret == -EFAULT)
@@ -726,9 +731,12 @@ next_wqe:
                else
                        wqe->status = IB_WC_LOC_QP_OP_ERR;
                kfree_skb(skb);
-               goto err;
+               goto err_drop_ah;
        }
 
+       if (ah)
+               rxe_drop_ref(ah);
+
        /*
         * To prevent a race on wqe access between requester and completer,
         * wqe members state and psn need to be set before calling
@@ -757,6 +765,9 @@ next_wqe:
 
        goto next_wqe;
 
+err_drop_ah:
+       if (ah)
+               rxe_drop_ref(ah);
 err:
        wqe->state = wqe_state_error;
        __rxe_do_task(&qp->comp.task);

diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index 380934e38923bf28737e53f4b9187b25a22825ca..192cb9a096a142e16905ae404cd29d38b0be4fe7 100644 (file)
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -632,7 +632,7 @@ static struct sk_buff *prepare_ack_packet(struct rxe_qp *qp,
        if (ack->mask & RXE_ATMACK_MASK)
                atmack_set_orig(ack, qp->resp.atomic_orig);
 
-       err = rxe_prepare(ack, skb);
+       err = rxe_prepare(&qp->pri_av, ack, skb);
        if (err) {
                kfree_skb(skb);
                return NULL;