* [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() @ 2010-04-30 11:21 sebastien dugue 2010-05-03 6:27 ` Eli Cohen 2010-05-05 17:42 ` Roland Dreier 0 siblings, 2 replies; 5+ messages in thread From: sebastien dugue @ 2010-04-30 11:21 UTC (permalink / raw) To: linux-rdma; +Cc: Roland Dreier If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, we must set chunk = NULL __even__ for coherent mappings (as is done for mthca). Otherwise we may overflow the sg list. Signed-off-by: Sebastien Dugue <sebastien.dugue-6ktuUTfB/bM@public.gmane.org> --- drivers/net/mlx4/icm.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c index 57288ca..ef62f17 100644 --- a/drivers/net/mlx4/icm.c +++ b/drivers/net/mlx4/icm.c @@ -175,9 +175,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages, if (chunk->nsg <= 0) goto fail; + } + if (chunk->npages == MLX4_ICM_CHUNK_LEN) chunk = NULL; - } npages -= 1 << cur_order; } else { -- 1.6.0.4 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() 2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue @ 2010-05-03 6:27 ` Eli Cohen 2010-05-05 17:42 ` Roland Dreier 1 sibling, 0 replies; 5+ messages in thread From: Eli Cohen @ 2010-05-03 6:27 UTC (permalink / raw) To: sebastien dugue; +Cc: linux-rdma, Roland Dreier Looks like a valid fix to me. On Fri, Apr 30, 2010 at 01:21:31PM +0200, sebastien dugue wrote: > > If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, > we must set chunk = NULL __even__ for coherent mappings (as is done for > mthca). Otherwise we may overflow the sg list. > > Signed-off-by: Sebastien Dugue <sebastien.dugue-6ktuUTfB/bM@public.gmane.org> > --- > drivers/net/mlx4/icm.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c > index 57288ca..ef62f17 100644 > --- a/drivers/net/mlx4/icm.c > +++ b/drivers/net/mlx4/icm.c > @@ -175,9 +175,10 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages, > > if (chunk->nsg <= 0) > goto fail; > + } > > + if (chunk->npages == MLX4_ICM_CHUNK_LEN) > chunk = NULL; > - } > > npages -= 1 << cur_order; > } else { > -- > 1.6.0.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() 2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue 2010-05-03 6:27 ` Eli Cohen @ 2010-05-05 17:42 ` Roland Dreier [not found] ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org> 1 sibling, 1 reply; 5+ messages in thread From: Roland Dreier @ 2010-05-05 17:42 UTC (permalink / raw) To: sebastien dugue; +Cc: Eli Cohen, linux-rdma good catch, applied. Did this hit you in practice? I guess it would take a big coherent ICM allocation, were you getting those? Also what do you think of this independent cleanup on top of your patch? It handles the error case for allocation and then avoids having the common case inside a deeper nested block: drivers/net/mlx4/icm.c | 37 +++++++++++++++++++------------------ 1 files changed, 19 insertions(+), 18 deletions(-) diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c index ef62f17..b07e4de 100644 --- a/drivers/net/mlx4/icm.c +++ b/drivers/net/mlx4/icm.c @@ -163,29 +163,30 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages, ret = mlx4_alloc_icm_pages(&chunk->mem[chunk->npages], cur_order, gfp_mask); - if (!ret) { - ++chunk->npages; - - if (coherent) - ++chunk->nsg; - else if (chunk->npages == MLX4_ICM_CHUNK_LEN) { - chunk->nsg = pci_map_sg(dev->pdev, chunk->mem, - chunk->npages, - PCI_DMA_BIDIRECTIONAL); - - if (chunk->nsg <= 0) - goto fail; - } + if (ret) { + if (--cur_order < 0) + goto fail; + else + continue; + } - if (chunk->npages == MLX4_ICM_CHUNK_LEN) - chunk = NULL; + ++chunk->npages; - npages -= 1 << cur_order; - } else { - --cur_order; - if (cur_order < 0) + if (coherent) + ++chunk->nsg; + else if (chunk->npages == MLX4_ICM_CHUNK_LEN) { + chunk->nsg = pci_map_sg(dev->pdev, chunk->mem, + chunk->npages, + PCI_DMA_BIDIRECTIONAL); + + if (chunk->nsg <= 0) goto fail; } + + if (chunk->npages == MLX4_ICM_CHUNK_LEN) + chunk = NULL; + + npages -= 1 << cur_order; } if (!coherent && chunk) { -- Roland Dreier <rolandd-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> || For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 5+ messages in thread
[parent not found: <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>]
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() [not found] ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org> @ 2010-05-06 6:04 ` sebastien dugue 2010-05-06 16:08 ` Roland Dreier 0 siblings, 1 reply; 5+ messages in thread From: sebastien dugue @ 2010-05-06 6:04 UTC (permalink / raw) To: Roland Dreier; +Cc: Eli Cohen, linux-rdma Hi Roland, On Wed, 05 May 2010 10:42:11 -0700 Roland Dreier <rdreier-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> wrote: > good catch, applied. Did this hit you in practice? I guess it would > take a big coherent ICM allocation, were you getting those? Yes, some customer got hit by this, which ended up corrupting memory. > > Also what do you think of this independent cleanup on top of your patch? > It handles the error case for allocation and then avoids having the > common case inside a deeper nested block: No problem, it indeed makes the code more readable. Thanks, Sebastien. > > drivers/net/mlx4/icm.c | 37 +++++++++++++++++++------------------ > 1 files changed, 19 insertions(+), 18 deletions(-) > > diff --git a/drivers/net/mlx4/icm.c b/drivers/net/mlx4/icm.c > index ef62f17..b07e4de 100644 > --- a/drivers/net/mlx4/icm.c > +++ b/drivers/net/mlx4/icm.c > @@ -163,29 +163,30 @@ struct mlx4_icm *mlx4_alloc_icm(struct mlx4_dev *dev, int npages, > ret = mlx4_alloc_icm_pages(&chunk->mem[chunk->npages], > cur_order, gfp_mask); > > - if (!ret) { > - ++chunk->npages; > - > - if (coherent) > - ++chunk->nsg; > - else if (chunk->npages == MLX4_ICM_CHUNK_LEN) { > - chunk->nsg = pci_map_sg(dev->pdev, chunk->mem, > - chunk->npages, > - PCI_DMA_BIDIRECTIONAL); > - > - if (chunk->nsg <= 0) > - goto fail; > - } > + if (ret) { > + if (--cur_order < 0) > + goto fail; > + else > + continue; > + } > > - if (chunk->npages == MLX4_ICM_CHUNK_LEN) > - chunk = NULL; > + ++chunk->npages; > > - npages -= 1 << cur_order; > - } else { > - --cur_order; > - if (cur_order < 0) > + if (coherent) > + ++chunk->nsg; > + else if (chunk->npages == MLX4_ICM_CHUNK_LEN) { > + chunk->nsg = pci_map_sg(dev->pdev, chunk->mem, > + chunk->npages, > + PCI_DMA_BIDIRECTIONAL); > + > + if (chunk->nsg <= 0) > goto fail; > } > + > + if (chunk->npages == MLX4_ICM_CHUNK_LEN) > + chunk = NULL; > + > + npages -= 1 << cur_order; > } > > if (!coherent && chunk) { > -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() 2010-05-06 6:04 ` sebastien dugue @ 2010-05-06 16:08 ` Roland Dreier 0 siblings, 0 replies; 5+ messages in thread From: Roland Dreier @ 2010-05-06 16:08 UTC (permalink / raw) To: sebastien dugue; +Cc: Eli Cohen, linux-rdma > Yes, some customer got hit by this, which ended up corrupting memory. I'll tag it for stable kernels too then. Thanks. -- Roland Dreier <rolandd-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org> || For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-05-06 16:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-30 11:21 [PATCH] mlx4: Fix chunk sg list overflow in mlx4_alloc_icm() sebastien dugue
2010-05-03 6:27 ` Eli Cohen
2010-05-05 17:42 ` Roland Dreier
[not found] ` <adatyqmmej0.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
2010-05-06 6:04 ` sebastien dugue
2010-05-06 16:08 ` Roland Dreier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox