| Message ID | 20240126152125.869509-1-neelx@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (take two) | expand |
On Fri, Jan 26, 2024 at 04:21:23PM +0100, Daniel Vacek wrote: > Unfortunately the commit `fd8958efe877` introduced another error > causing the `descs` array to overflow. This reults in further crashes > easily reproducible by `sendmsg` system call. > > [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI > [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] > -- > [ 1080.974535] Call Trace: > [ 1080.976990] <TASK> > [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] > [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] > [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] > [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] > [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 > -- > [ 1081.148347] __sys_sendmsg+0x59/0xa0 > > crash> ipoib_txreq 0xffff9cfeba229f00 > struct ipoib_txreq { > txreq = { > list = { > next = 0xffff9cfeba229f00, > prev = 0xffff9cfeba229f00 > }, > descp = 0xffff9cfeba229f40, > coalesce_buf = 0x0, > wait = 0xffff9cfea4e69a48, > complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, > packet_len = 0x46d, > tlen = 0x0, > num_desc = 0x0, > desc_limit = 0x6, > next_descq_idx = 0x45c, > coalesce_idx = 0x0, > flags = 0x0, > descs = {{ > qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) > }, { > qw = { 0x3800014231b108, 0x4} > }, { > qw = { 0x310000e4ee0fcf0, 0x8} > }, { > qw = { 0x3000012e9f8000, 0x8} > }, { > qw = { 0x59000dfb9d0000, 0x8} > }, { > qw = { 0x78000e02e40000, 0x8} > }} > }, > sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure > sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) > complete = 0x0, > priv = 0x0, > txq = 0xffff9cfea4e69880, > skb = 0xffff9d099809f400 > } > > With this patch the crashes are no longer reproducible and the machine is stable. > > Note, the header file changes are just an unrelated clean-up while I was looking > around trying to find the bug. > > Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors") > Cc: stable@vger.kernel.org > Reported-by: Mats Kronberg <kronberg@nsc.liu.se> > Tested-by: Mats Kronberg <kronberg@nsc.liu.se> > Signed-off-by: Daniel Vacek <neelx@redhat.com> > --- > drivers/infiniband/hw/hfi1/sdma.c | 2 +- > drivers/infiniband/hw/hfi1/sdma.h | 17 +++++++---------- > 2 files changed, 8 insertions(+), 11 deletions(-) > > diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c > index 6e5ac2023328a..b67d23b1f2862 100644 > --- a/drivers/infiniband/hw/hfi1/sdma.c > +++ b/drivers/infiniband/hw/hfi1/sdma.c > @@ -3158,7 +3158,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) > { > int rval = 0; > > - if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { > + if ((unlikely(tx->num_desc == tx->desc_limit))) { Maybe, Dennis? > rval = _extend_sdma_tx_descs(dd, tx); > if (rval) { > __sdma_txclean(dd, tx); > diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h > index d77246b48434f..362815a8da267 100644 > --- a/drivers/infiniband/hw/hfi1/sdma.h > +++ b/drivers/infiniband/hw/hfi1/sdma.h > @@ -639,13 +639,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) > static inline void _sdma_close_tx(struct hfi1_devdata *dd, > struct sdma_txreq *tx) > { > - u16 last_desc = tx->num_desc - 1; > + struct sdma_desc *desc = &tx->descp[tx->num_desc - 1]; > > - tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; > - tx->descp[last_desc].qw[1] |= dd->default_desc1; > + desc->qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; > + desc->qw[1] |= dd->default_desc1; > if (tx->flags & SDMA_TXREQ_F_URGENT) > - tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | > - SDMA_DESC1_INT_REQ_FLAG); > + desc->qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | > + SDMA_DESC1_INT_REQ_FLAG); Unrelated change which doesn't change anything. > } > > static inline int _sdma_txadd_daddr( > @@ -670,13 +670,10 @@ static inline int _sdma_txadd_daddr( > tx->tlen -= len; > /* special cases for last */ > if (!tx->tlen) { > - if (tx->packet_len & (sizeof(u32) - 1)) { > + if (tx->packet_len & (sizeof(u32) - 1)) > rval = _pad_sdma_tx_descs(dd, tx); > - if (rval) > - return rval; > - } else { > + else > _sdma_close_tx(dd, tx); > - } Same as before, unrelated change. > } > return rval; > } > -- > 2.43.0 >
On 1/31/24 7:50 AM, Leon Romanovsky wrote: > On Fri, Jan 26, 2024 at 04:21:23PM +0100, Daniel Vacek wrote: >> Unfortunately the commit `fd8958efe877` introduced another error >> causing the `descs` array to overflow. This reults in further crashes >> easily reproducible by `sendmsg` system call. >> >> [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI >> [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] >> -- >> [ 1080.974535] Call Trace: >> [ 1080.976990] <TASK> >> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] >> [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] >> [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] >> [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] >> [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 >> -- >> [ 1081.148347] __sys_sendmsg+0x59/0xa0 >> >> crash> ipoib_txreq 0xffff9cfeba229f00 >> struct ipoib_txreq { >> txreq = { >> list = { >> next = 0xffff9cfeba229f00, >> prev = 0xffff9cfeba229f00 >> }, >> descp = 0xffff9cfeba229f40, >> coalesce_buf = 0x0, >> wait = 0xffff9cfea4e69a48, >> complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, >> packet_len = 0x46d, >> tlen = 0x0, >> num_desc = 0x0, >> desc_limit = 0x6, >> next_descq_idx = 0x45c, >> coalesce_idx = 0x0, >> flags = 0x0, >> descs = {{ >> qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) >> }, { >> qw = { 0x3800014231b108, 0x4} >> }, { >> qw = { 0x310000e4ee0fcf0, 0x8} >> }, { >> qw = { 0x3000012e9f8000, 0x8} >> }, { >> qw = { 0x59000dfb9d0000, 0x8} >> }, { >> qw = { 0x78000e02e40000, 0x8} >> }} >> }, >> sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure >> sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) >> complete = 0x0, >> priv = 0x0, >> txq = 0xffff9cfea4e69880, >> skb = 0xffff9d099809f400 >> } >> >> With this patch the crashes are no longer reproducible and the machine is stable. >> >> Note, the header file changes are just an unrelated clean-up while I was looking >> around trying to find the bug. >> >> Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors") >> Cc: stable@vger.kernel.org >> Reported-by: Mats Kronberg <kronberg@nsc.liu.se> >> Tested-by: Mats Kronberg <kronberg@nsc.liu.se> >> Signed-off-by: Daniel Vacek <neelx@redhat.com> >> --- >> drivers/infiniband/hw/hfi1/sdma.c | 2 +- >> drivers/infiniband/hw/hfi1/sdma.h | 17 +++++++---------- >> 2 files changed, 8 insertions(+), 11 deletions(-) >> >> diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c >> index 6e5ac2023328a..b67d23b1f2862 100644 >> --- a/drivers/infiniband/hw/hfi1/sdma.c >> +++ b/drivers/infiniband/hw/hfi1/sdma.c >> @@ -3158,7 +3158,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) >> { >> int rval = 0; >> >> - if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { >> + if ((unlikely(tx->num_desc == tx->desc_limit))) { > > Maybe, Dennis? I actually have a patch that does exactly this one line change queued up to send out. The commit message for our fix is: If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. >> rval = _extend_sdma_tx_descs(dd, tx); >> if (rval) { >> __sdma_txclean(dd, tx); >> diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h >> index d77246b48434f..362815a8da267 100644 >> --- a/drivers/infiniband/hw/hfi1/sdma.h >> +++ b/drivers/infiniband/hw/hfi1/sdma.h >> @@ -639,13 +639,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) >> static inline void _sdma_close_tx(struct hfi1_devdata *dd, >> struct sdma_txreq *tx) >> { >> - u16 last_desc = tx->num_desc - 1; >> + struct sdma_desc *desc = &tx->descp[tx->num_desc - 1]; >> >> - tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; >> - tx->descp[last_desc].qw[1] |= dd->default_desc1; >> + desc->qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; >> + desc->qw[1] |= dd->default_desc1; >> if (tx->flags & SDMA_TXREQ_F_URGENT) >> - tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | >> - SDMA_DESC1_INT_REQ_FLAG); >> + desc->qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | >> + SDMA_DESC1_INT_REQ_FLAG); > > Unrelated change which doesn't change anything. Please drop. > >> } >> >> static inline int _sdma_txadd_daddr( >> @@ -670,13 +670,10 @@ static inline int _sdma_txadd_daddr( >> tx->tlen -= len; >> /* special cases for last */ >> if (!tx->tlen) { >> - if (tx->packet_len & (sizeof(u32) - 1)) { >> + if (tx->packet_len & (sizeof(u32) - 1)) >> rval = _pad_sdma_tx_descs(dd, tx); >> - if (rval) >> - return rval; >> - } else { >> + else >> _sdma_close_tx(dd, tx); >> - } > > Same as before, unrelated change. Agree. Please drop.
diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c index 6e5ac2023328a..b67d23b1f2862 100644 --- a/drivers/infiniband/hw/hfi1/sdma.c +++ b/drivers/infiniband/hw/hfi1/sdma.c @@ -3158,7 +3158,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) { int rval = 0; - if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + if ((unlikely(tx->num_desc == tx->desc_limit))) { rval = _extend_sdma_tx_descs(dd, tx); if (rval) { __sdma_txclean(dd, tx); diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h index d77246b48434f..362815a8da267 100644 --- a/drivers/infiniband/hw/hfi1/sdma.h +++ b/drivers/infiniband/hw/hfi1/sdma.h @@ -639,13 +639,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) static inline void _sdma_close_tx(struct hfi1_devdata *dd, struct sdma_txreq *tx) { - u16 last_desc = tx->num_desc - 1; + struct sdma_desc *desc = &tx->descp[tx->num_desc - 1]; - tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; - tx->descp[last_desc].qw[1] |= dd->default_desc1; + desc->qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; + desc->qw[1] |= dd->default_desc1; if (tx->flags & SDMA_TXREQ_F_URGENT) - tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | - SDMA_DESC1_INT_REQ_FLAG); + desc->qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | + SDMA_DESC1_INT_REQ_FLAG); } static inline int _sdma_txadd_daddr( @@ -670,13 +670,10 @@ static inline int _sdma_txadd_daddr( tx->tlen -= len; /* special cases for last */ if (!tx->tlen) { - if (tx->packet_len & (sizeof(u32) - 1)) { + if (tx->packet_len & (sizeof(u32) - 1)) rval = _pad_sdma_tx_descs(dd, tx); - if (rval) - return rval; - } else { + else _sdma_close_tx(dd, tx); - } } return rval; }
Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } With this patch the crashes are no longer reproducible and the machine is stable. Note, the header file changes are just an unrelated clean-up while I was looking around trying to find the bug. Fixes: fd8958efe877 ("IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors") Cc: stable@vger.kernel.org Reported-by: Mats Kronberg <kronberg@nsc.liu.se> Tested-by: Mats Kronberg <kronberg@nsc.liu.se> Signed-off-by: Daniel Vacek <neelx@redhat.com> --- drivers/infiniband/hw/hfi1/sdma.c | 2 +- drivers/infiniband/hw/hfi1/sdma.h | 17 +++++++---------- 2 files changed, 8 insertions(+), 11 deletions(-)