public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm()
@ 2010-04-30 11:21 sebastien dugue
  2010-05-03  6:27 ` Eli Cohen
  2010-05-05 17:42 ` Roland Dreier
  0 siblings, 2 replies; 5+ messages in thread
From: sebastien dugue @ 2010-04-30 11:21 UTC (permalink / raw)
  To: linux-rdma; +Cc: Roland Dreier


  If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN,
we must set chunk = NULL __even__ for coherent mappings (as is done for
mthca). Otherwise we may overflow the sg list.

Signed-off-by: Sebastien Dugue <sebastien.dugue-6ktuUTfB/bM@public.gmane.org>
---
 drivers/net/mlx4/icm.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c
index 57288ca..ef62f17 100644
--- a/drivers/net/mlx4/icm.c
+++ b/drivers/net/mlx4/icm.c
@@ -175,9 +175,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages,
 
 				if (chunk->nsg <= 0)
 					goto fail;
+			}
 
+			if (chunk->npages == MLX4_ICM_CHUNK_LEN)
 				chunk = NULL;
-			}
 
 			npages -= 1 << cur_order;
 		} else {
-- 
1.6.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm()
  2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue
@ 2010-05-03  6:27 ` Eli Cohen
  2010-05-05 17:42 ` Roland Dreier
  1 sibling, 0 replies; 5+ messages in thread
From: Eli Cohen @ 2010-05-03  6:27 UTC (permalink / raw)
  To: sebastien dugue; +Cc: linux-rdma, Roland Dreier

Looks like a valid fix to me.

On Fri, Apr 30, 2010 at 01:21:31PM +0200, sebastien dugue wrote:
> 
>   If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN,
> we must set chunk = NULL __even__ for coherent mappings (as is done for
> mthca). Otherwise we may overflow the sg list.
> 
> Signed-off-by: Sebastien Dugue <sebastien.dugue-6ktuUTfB/bM@public.gmane.org>
> ---
>  drivers/net/mlx4/icm.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c
> index 57288ca..ef62f17 100644
> --- a/drivers/net/mlx4/icm.c
> +++ b/drivers/net/mlx4/icm.c
> @@ -175,9 +175,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages,
>  
>  				if (chunk->nsg <= 0)
>  					goto fail;
> +			}
>  
> +			if (chunk->npages == MLX4_ICM_CHUNK_LEN)
>  				chunk = NULL;
> -			}
>  
>  			npages -= 1 << cur_order;
>  		} else {
> -- 
> 1.6.0.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm()
  2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue
  2010-05-03  6:27 ` Eli Cohen
@ 2010-05-05 17:42 ` Roland Dreier
       [not found]   ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
  1 sibling, 1 reply; 5+ messages in thread
From: Roland Dreier @ 2010-05-05 17:42 UTC (permalink / raw)
  To: sebastien dugue; +Cc: Eli Cohen, linux-rdma

good catch, applied.  Did this hit you in practice?  I guess it would
take a big coherent ICM allocation, were you getting those?

Also what do you think of this independent cleanup on top of your patch?
It handles the error case for allocation and then avoids having the
common case inside a deeper nested block:

 drivers/net/mlx4/icm.c |   37 +++++++++++++++++++------------------
 1 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c
index ef62f17..b07e4de 100644
--- a/drivers/net/mlx4/icm.c
+++ b/drivers/net/mlx4/icm.c
@@ -163,29 +163,30 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages,
 			ret = mlx4_alloc_icm_pages(&chunk->mem[chunk->npages],
 						   cur_order, gfp_mask);
 
-		if (!ret) {
-			++chunk->npages;
-
-			if (coherent)
-				++chunk->nsg;
-			else if (chunk->npages == MLX4_ICM_CHUNK_LEN) {
-				chunk->nsg = pci_map_sg(dev->pdev, chunk->mem,
-							chunk->npages,
-							PCI_DMA_BIDIRECTIONAL);
-
-				if (chunk->nsg <= 0)
-					goto fail;
-			}
+		if (ret) {
+			if (--cur_order < 0)
+				goto fail;
+			else
+				continue;
+		}
 
-			if (chunk->npages == MLX4_ICM_CHUNK_LEN)
-				chunk = NULL;
+		++chunk->npages;
 
-			npages -= 1 << cur_order;
-		} else {
-			--cur_order;
-			if (cur_order < 0)
+		if (coherent)
+			++chunk->nsg;
+		else if (chunk->npages == MLX4_ICM_CHUNK_LEN) {
+			chunk->nsg = pci_map_sg(dev->pdev, chunk->mem,
+						chunk->npages,
+						PCI_DMA_BIDIRECTIONAL);
+
+			if (chunk->nsg <= 0)
 				goto fail;
 		}
+
+		if (chunk->npages == MLX4_ICM_CHUNK_LEN)
+			chunk = NULL;
+
+		npages -= 1 << cur_order;
 	}
 
 	if (!coherent && chunk) {

-- 
Roland Dreier <rolandd-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> || For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm()
       [not found]   ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
@ 2010-05-06  6:04     ` sebastien dugue
  2010-05-06 16:08       ` Roland Dreier
  0 siblings, 1 reply; 5+ messages in thread
From: sebastien dugue @ 2010-05-06  6:04 UTC (permalink / raw)
  To: Roland Dreier; +Cc: Eli Cohen, linux-rdma


  Hi Roland,

On Wed, 05 May 2010 10:42:11 -0700
Roland Dreier <rdreier-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> wrote:

> good catch, applied.  Did this hit you in practice?  I guess it would
> take a big coherent ICM allocation, were you getting those?

  Yes, some customer got hit by this, which ended up corrupting memory.

> 
> Also what do you think of this independent cleanup on top of your patch?
> It handles the error case for allocation and then avoids having the
> common case inside a deeper nested block:

  No problem, it indeed makes the code more readable.

  Thanks,

  Sebastien.

> 
>  drivers/net/mlx4/icm.c |   37 +++++++++++++++++++------------------
>  1 files changed, 19 insertions(+), 18 deletions(-)
> 
> diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c
> index ef62f17..b07e4de 100644
> --- a/drivers/net/mlx4/icm.c
> +++ b/drivers/net/mlx4/icm.c
> @@ -163,29 +163,30 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages,
>  			ret = mlx4_alloc_icm_pages(&chunk->mem[chunk->npages],
>  						   cur_order, gfp_mask);
>  
> -		if (!ret) {
> -			++chunk->npages;
> -
> -			if (coherent)
> -				++chunk->nsg;
> -			else if (chunk->npages == MLX4_ICM_CHUNK_LEN) {
> -				chunk->nsg = pci_map_sg(dev->pdev, chunk->mem,
> -							chunk->npages,
> -							PCI_DMA_BIDIRECTIONAL);
> -
> -				if (chunk->nsg <= 0)
> -					goto fail;
> -			}
> +		if (ret) {
> +			if (--cur_order < 0)
> +				goto fail;
> +			else
> +				continue;
> +		}
>  
> -			if (chunk->npages == MLX4_ICM_CHUNK_LEN)
> -				chunk = NULL;
> +		++chunk->npages;
>  
> -			npages -= 1 << cur_order;
> -		} else {
> -			--cur_order;
> -			if (cur_order < 0)
> +		if (coherent)
> +			++chunk->nsg;
> +		else if (chunk->npages == MLX4_ICM_CHUNK_LEN) {
> +			chunk->nsg = pci_map_sg(dev->pdev, chunk->mem,
> +						chunk->npages,
> +						PCI_DMA_BIDIRECTIONAL);
> +
> +			if (chunk->nsg <= 0)
>  				goto fail;
>  		}
> +
> +		if (chunk->npages == MLX4_ICM_CHUNK_LEN)
> +			chunk = NULL;
> +
> +		npages -= 1 << cur_order;
>  	}
>  
>  	if (!coherent && chunk) {
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm()
  2010-05-06  6:04     ` sebastien dugue
@ 2010-05-06 16:08       ` Roland Dreier
  0 siblings, 0 replies; 5+ messages in thread
From: Roland Dreier @ 2010-05-06 16:08 UTC (permalink / raw)
  To: sebastien dugue; +Cc: Eli Cohen, linux-rdma

 >  Yes, some customer got hit by this, which ended up corrupting memory.

I'll tag it for stable kernels too then.  Thanks.
-- 
Roland Dreier <rolandd-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> || For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-05-06 16:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue
2010-05-03  6:27 ` Eli Cohen
2010-05-05 17:42 ` Roland Dreier
     [not found]   ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
2010-05-06  6:04     ` sebastien dugue
2010-05-06 16:08       ` Roland Dreier

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox