linux-stable.git/drivers/infiniband, branch linux-2.6.28.y Linux kernel stable tree RDMA/nes: Don't allow userspace QPs to use STag zero 2009-03-17T00:32:06+00:00 Faisal Latif faisal.latif@intel.com 2009-03-12T21:34:59+00:00 ceb5722adfe975c1014180a94360e8d410924b4b commit c12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 upstream. STag zero is a special STag that allows consumers to access any bus address without registering memory. The nes driver unfortunately allows STag zero to be used even with QPs created by unprivileged userspace consumers, which means that any process with direct verbs access to the nes device can read and write any memory accessible to the underlying PCI device (usually any memory in the system). Such access is usually given for cluster software such as MPI to use, so this is a local privilege escalation bug on most systems running this driver. The driver was using STag zero to receive the last streaming mode data; to allow STag zero to be disabled for unprivileged QPs, the driver now registers a special MR for this data. Signed-off-by: Faisal Latif <faisal.latif@intel.com> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit c12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 upstream.

STag zero is a special STag that allows consumers to access any bus
address without registering memory.  The nes driver unfortunately
allows STag zero to be used even with QPs created by unprivileged
userspace consumers, which means that any process with direct verbs
access to the nes device can read and write any memory accessible to
the underlying PCI device (usually any memory in the system).  Such
access is usually given for cluster software such as MPI to use, so
this is a local privilege escalation bug on most systems running this
driver.

The driver was using STag zero to receive the last streaming mode
data; to allow STag zero to be disabled for unprivileged QPs, the
driver now registers a special MR for this data.

Signed-off-by: Faisal Latif <faisal.latif@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Merge branches 'ehca' and 'mlx4' into for-linus 2008-12-01T18:11:50+00:00 Roland Dreier rolandd@cisco.com 2008-12-01T18:11:50+00:00 b0f43dcca8a1f46e17b26d10f3cb1b297ebfb44e 






IB/mlx4: Fix MTT leakage in resize CQ
2008-12-01T18:09:37+00:00

Jack Morgenstein
jackm@dev.mellanox.co.il

2008-12-01T18:09:37+00:00

42ab01c31526ac1d06d193f81a498bf3cf2acfe4

When resizing a CQ, MTTs associated with the old CQE buffer were not
freed.  As a result, if any app used resize CQ repeatedly, all MTTs
were eventually exhausted, which led to all memory registration
operations failing until the driver is reloaded.

Once the RESIZE_CQ command returns successfully from FW, FW no longer
accesses the old CQ buffer, so it is safe to deallocate the MTT
entries used by the old CQ buffer.

Finally, if the RESIZE_CQ command fails, the MTTs allocated for the
new CQEs buffer also need to be de-allocated.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1416>.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





When resizing a CQ, MTTs associated with the old CQE buffer were not
freed.  As a result, if any app used resize CQ repeatedly, all MTTs
were eventually exhausted, which led to all memory registration
operations failing until the driver is reloaded.

Once the RESIZE_CQ command returns successfully from FW, FW no longer
accesses the old CQ buffer, so it is safe to deallocate the MTT
entries used by the old CQ buffer.

Finally, if the RESIZE_CQ command fails, the MTTs allocated for the
new CQEs buffer also need to be de-allocated.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1416>.

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>







IB/ehca: Fix problem with generated flush work completions
2008-12-01T18:05:50+00:00

Stefan Roscher
ossrosch@linux.vnet.ibm.com

2008-12-01T18:05:50+00:00

7ec4f4634a4326c1f8fd172c80c8f59c9b3e90a4

This fix enables ehca device driver to generate flush work completions
even if the application doesn't request completions for all work
requests. The current implementation of ehca will generate flush work
completions for the wrong work requests if an application uses non
signaled work completions.

Signed-off-by: Stefan Roscher <stefan.roscher@de.ibm.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





This fix enables ehca device driver to generate flush work completions
even if the application doesn't request completions for all work
requests. The current implementation of ehca will generate flush work
completions for the wrong work requests if an application uses non
signaled work completions.

Signed-off-by: Stefan Roscher <stefan.roscher@de.ibm.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>







IB/ehca: Change misleading error message on memory hotplug
2008-12-01T18:05:44+00:00

Joachim Fenkes
fenkes@de.ibm.com

2008-12-01T18:05:44+00:00

6b1f9d647e848060d34c3db408413989f1e460ba

The error message printed when the eHCA driver prevents memory hotplug
is misleading -- the user might think that hot-removing the lhca,
hotplugging memory, then hot-adding the lhca again will work, but it
actually doesn't.

Signed-off-by: Joachim Fenkes <fenkes@de.ibm.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





The error message printed when the eHCA driver prevents memory hotplug
is misleading -- the user might think that hot-removing the lhca,
hotplugging memory, then hot-adding the lhca again will work, but it
actually doesn't.

Signed-off-by: Joachim Fenkes <fenkes@de.ibm.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>







Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
2008-11-12T18:56:31+00:00

Linus Torvalds
torvalds@linux-foundation.org

2008-11-12T18:56:31+00:00

3edac25f2e8ac8c2a84904c140e1aeb434e73e75

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IPoIB: Fix crash in path_rec_completion()
  IPoIB: Fix hang in ipoib_flush_paths()
  IPoIB: Don't enable NAPI when it's already enabled
  RDMA/cxgb3: Fix deadlock in iw_cxgb3 (hang when configuring interface)
  IB/ehca: Remove reference to special QP in case of port activation failure
  IB/mlx4: Set umem field to NULL in mlx4_ib_alloc_fast_reg_mr()
  mlx4_core: Fix unused variable warning
  RDMA/nes: Mitigate compatibility issue regarding PCIe write credits
  RDMA/nes: Fix CQ allocation scheme for multicast receive queue apps
  RDMA/nes: Correct handling of PBL resources
  RDMA/nes: Reindent mis-indented spinlocks
  RDMA/cxgb3: Fix too-big reserved field zeroing in iwch_post_zb_read()
  IB/ipath: Fix RDMA write with immediate copy of last packet





* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IPoIB: Fix crash in path_rec_completion()
  IPoIB: Fix hang in ipoib_flush_paths()
  IPoIB: Don't enable NAPI when it's already enabled
  RDMA/cxgb3: Fix deadlock in iw_cxgb3 (hang when configuring interface)
  IB/ehca: Remove reference to special QP in case of port activation failure
  IB/mlx4: Set umem field to NULL in mlx4_ib_alloc_fast_reg_mr()
  mlx4_core: Fix unused variable warning
  RDMA/nes: Mitigate compatibility issue regarding PCIe write credits
  RDMA/nes: Fix CQ allocation scheme for multicast receive queue apps
  RDMA/nes: Correct handling of PBL resources
  RDMA/nes: Reindent mis-indented spinlocks
  RDMA/cxgb3: Fix too-big reserved field zeroing in iwch_post_zb_read()
  IB/ipath: Fix RDMA write with immediate copy of last packet







Merge branches 'cxgb3', 'ehca', 'ipath', 'ipoib', 'mlx4' and 'nes' into for-next
2008-11-12T18:24:44+00:00

Roland Dreier
rolandd@cisco.com

2008-11-12T18:24:44+00:00

c35a2549642c45ba9085d8b6db4dd68d2b0de230












IPoIB: Fix crash in path_rec_completion()
2008-11-12T18:24:39+00:00

Yossi Etigin
yosefe@Voltaire.COM

2008-11-12T18:24:39+00:00

ff79ae80837cf45cb703b34824dd3862d2ddcb24

Fix a crash in path_rec_completion() during an SM up/down loop.  If
more than one path record request is issued, the first completion
releases path->done, allowing ipoib_flush_paths() to free the path,
and thus corrupting it for the second completion.

Commit ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM
change events") added the field path->valid and changed the test "if
(!path)" to "if (!path || !path->valid)".  This change made it
possible for a path with an outstanding query to pass the test and
issue another query on the same path.  Having two queries on the same
path leads to a crash.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1325>.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





Fix a crash in path_rec_completion() during an SM up/down loop.  If
more than one path record request is issued, the first completion
releases path->done, allowing ipoib_flush_paths() to free the path,
and thus corrupting it for the second completion.

Commit ee1e2c82 ("IPoIB: Refresh paths instead of flushing them on SM
change events") added the field path->valid and changed the test "if
(!path)" to "if (!path || !path->valid)".  This change made it
possible for a path with an outstanding query to pass the test and
issue another query on the same path.  Having two queries on the same
path leads to a crash.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1325>.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>







IPoIB: Fix hang in ipoib_flush_paths()
2008-11-12T18:24:38+00:00

Yossi Etigin
yosefe@Voltaire.COM

2008-11-12T18:24:38+00:00

93a3ab939ba90e00e193f0bad98f43fbdfbd925d

ipoib_flush_paths() can hang during an SM up/down loop: if
path_rec_start() fails (for instance, because there is no sm_ah), the
path is still added to the path list by neigh_add_path().  Then,
ipoib_flush_paths() will wait for path->done, but it will never
complete because the request was not issued at all.  Fix this by
completing path->done if issuing the query fails.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1329>.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





ipoib_flush_paths() can hang during an SM up/down loop: if
path_rec_start() fails (for instance, because there is no sm_ah), the
path is still added to the path list by neigh_add_path().  Then,
ipoib_flush_paths() will wait for path->done, but it will never
complete because the request was not issued at all.  Fix this by
completing path->done if issuing the query fails.

This fixes <https://bugs.openfabrics.org/show_bug.cgi?id=1329>.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>







IPoIB: Don't enable NAPI when it's already enabled
2008-11-12T18:24:36+00:00

Yossi Etigin
yosefe@Voltaire.COM

2008-11-12T18:24:36+00:00

fe25c56190bbc0951d7c53b4ccd148e669d69938

If a P_Key is not present when an interface is created, ipoib_open()
will return after doing napi_enable().  ipoib_open() will be called
again from ipoib_pkey_poll() when the P_Key appears, after NAPI has
already been enabled, and try to enable it again. This triggers a
BUG_ON() in napi_enable().

Fix this by moving the call to napi_enable() to after the test for
P_Key presence.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>





If a P_Key is not present when an interface is created, ipoib_open()
will return after doing napi_enable().  ipoib_open() will be called
again from ipoib_pkey_poll() when the P_Key appears, after NAPI has
already been enabled, and try to enable it again. This triggers a
BUG_ON() in napi_enable().

Fix this by moving the call to napi_enable() to after the test for
P_Key presence.

Signed-off-by: Yossi Etigin <yosefe@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>