a3285aa4ee
Fix races in in destroying various objects. If a destroy routine waits for an object to become free by doing wait_event(&obj->wait, !atomic_read(&obj->refcount)); /* now clean up and destroy the object */ and another place drops a reference to the object by doing if (atomic_dec_and_test(&obj->refcount)) wake_up(&obj->wait); then this is susceptible to a race where the wait_event() and final freeing of the object occur between the atomic_dec_and_test() and the wake_up(). And this is a use-after-free, since wake_up() will be called on part of the already-freed object. Fix this in mthca by replacing the atomic_t refcounts with plain old integers protected by a spinlock. This makes it possible to do the decrement of the reference count and the wake_up() so that it appears as a single atomic operation to the code waiting on the wait queue. While touching this code, also simplify mthca_cq_clean(): the CQ being cleaned cannot go away, because it still has a QP attached to it. So there's no reason to be paranoid and look up the CQ by number; it's perfectly safe to use the pointer that the callers already have. Signed-off-by: Roland Dreier <rolandd@cisco.com>
340 lines
8.8 KiB
C
340 lines
8.8 KiB
C
/*
|
|
* Copyright (c) 2004 Topspin Communications. All rights reserved.
|
|
* Copyright (c) 2005, 2006 Cisco Systems. All rights reserved.
|
|
* Copyright (c) 2005 Mellanox Technologies. All rights reserved.
|
|
*
|
|
* This software is available to you under a choice of one of two
|
|
* licenses. You may choose to be licensed under the terms of the GNU
|
|
* General Public License (GPL) Version 2, available from the file
|
|
* COPYING in the main directory of this source tree, or the
|
|
* OpenIB.org BSD license below:
|
|
*
|
|
* Redistribution and use in source and binary forms, with or
|
|
* without modification, are permitted provided that the following
|
|
* conditions are met:
|
|
*
|
|
* - Redistributions of source code must retain the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer.
|
|
*
|
|
* - Redistributions in binary form must reproduce the above
|
|
* copyright notice, this list of conditions and the following
|
|
* disclaimer in the documentation and/or other materials
|
|
* provided with the distribution.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE.
|
|
*
|
|
* $Id: mthca_provider.h 1349 2004-12-16 21:09:43Z roland $
|
|
*/
|
|
|
|
#ifndef MTHCA_PROVIDER_H
|
|
#define MTHCA_PROVIDER_H
|
|
|
|
#include <rdma/ib_verbs.h>
|
|
#include <rdma/ib_pack.h>
|
|
|
|
#define MTHCA_MPT_FLAG_ATOMIC (1 << 14)
|
|
#define MTHCA_MPT_FLAG_REMOTE_WRITE (1 << 13)
|
|
#define MTHCA_MPT_FLAG_REMOTE_READ (1 << 12)
|
|
#define MTHCA_MPT_FLAG_LOCAL_WRITE (1 << 11)
|
|
#define MTHCA_MPT_FLAG_LOCAL_READ (1 << 10)
|
|
|
|
struct mthca_buf_list {
|
|
void *buf;
|
|
DECLARE_PCI_UNMAP_ADDR(mapping)
|
|
};
|
|
|
|
union mthca_buf {
|
|
struct mthca_buf_list direct;
|
|
struct mthca_buf_list *page_list;
|
|
};
|
|
|
|
struct mthca_uar {
|
|
unsigned long pfn;
|
|
int index;
|
|
};
|
|
|
|
struct mthca_user_db_table;
|
|
|
|
struct mthca_ucontext {
|
|
struct ib_ucontext ibucontext;
|
|
struct mthca_uar uar;
|
|
struct mthca_user_db_table *db_tab;
|
|
};
|
|
|
|
struct mthca_mtt;
|
|
|
|
struct mthca_mr {
|
|
struct ib_mr ibmr;
|
|
struct mthca_mtt *mtt;
|
|
};
|
|
|
|
struct mthca_fmr {
|
|
struct ib_fmr ibmr;
|
|
struct ib_fmr_attr attr;
|
|
struct mthca_mtt *mtt;
|
|
int maps;
|
|
union {
|
|
struct {
|
|
struct mthca_mpt_entry __iomem *mpt;
|
|
u64 __iomem *mtts;
|
|
} tavor;
|
|
struct {
|
|
struct mthca_mpt_entry *mpt;
|
|
__be64 *mtts;
|
|
} arbel;
|
|
} mem;
|
|
};
|
|
|
|
struct mthca_pd {
|
|
struct ib_pd ibpd;
|
|
u32 pd_num;
|
|
atomic_t sqp_count;
|
|
struct mthca_mr ntmr;
|
|
int privileged;
|
|
};
|
|
|
|
struct mthca_eq {
|
|
struct mthca_dev *dev;
|
|
int eqn;
|
|
u32 eqn_mask;
|
|
u32 cons_index;
|
|
u16 msi_x_vector;
|
|
u16 msi_x_entry;
|
|
int have_irq;
|
|
int nent;
|
|
struct mthca_buf_list *page_list;
|
|
struct mthca_mr mr;
|
|
};
|
|
|
|
struct mthca_av;
|
|
|
|
enum mthca_ah_type {
|
|
MTHCA_AH_ON_HCA,
|
|
MTHCA_AH_PCI_POOL,
|
|
MTHCA_AH_KMALLOC
|
|
};
|
|
|
|
struct mthca_ah {
|
|
struct ib_ah ibah;
|
|
enum mthca_ah_type type;
|
|
u32 key;
|
|
struct mthca_av *av;
|
|
dma_addr_t avdma;
|
|
};
|
|
|
|
/*
|
|
* Quick description of our CQ/QP locking scheme:
|
|
*
|
|
* We have one global lock that protects dev->cq/qp_table. Each
|
|
* struct mthca_cq/qp also has its own lock. An individual qp lock
|
|
* may be taken inside of an individual cq lock. Both cqs attached to
|
|
* a qp may be locked, with the send cq locked first. No other
|
|
* nesting should be done.
|
|
*
|
|
* Each struct mthca_cq/qp also has an ref count, protected by the
|
|
* corresponding table lock. The pointer from the cq/qp_table to the
|
|
* struct counts as one reference. This reference also is good for
|
|
* access through the consumer API, so modifying the CQ/QP etc doesn't
|
|
* need to take another reference. Access to a QP because of a
|
|
* completion being polled does not need a reference either.
|
|
*
|
|
* Finally, each struct mthca_cq/qp has a wait_queue_head_t for the
|
|
* destroy function to sleep on.
|
|
*
|
|
* This means that access from the consumer API requires nothing but
|
|
* taking the struct's lock.
|
|
*
|
|
* Access because of a completion event should go as follows:
|
|
* - lock cq/qp_table and look up struct
|
|
* - increment ref count in struct
|
|
* - drop cq/qp_table lock
|
|
* - lock struct, do your thing, and unlock struct
|
|
* - decrement ref count; if zero, wake up waiters
|
|
*
|
|
* To destroy a CQ/QP, we can do the following:
|
|
* - lock cq/qp_table
|
|
* - remove pointer and decrement ref count
|
|
* - unlock cq/qp_table lock
|
|
* - wait_event until ref count is zero
|
|
*
|
|
* It is the consumer's responsibilty to make sure that no QP
|
|
* operations (WQE posting or state modification) are pending when a
|
|
* QP is destroyed. Also, the consumer must make sure that calls to
|
|
* qp_modify are serialized. Similarly, the consumer is responsible
|
|
* for ensuring that no CQ resize operations are pending when a CQ
|
|
* is destroyed.
|
|
*
|
|
* Possible optimizations (wait for profile data to see if/where we
|
|
* have locks bouncing between CPUs):
|
|
* - split cq/qp table lock into n separate (cache-aligned) locks,
|
|
* indexed (say) by the page in the table
|
|
* - split QP struct lock into three (one for common info, one for the
|
|
* send queue and one for the receive queue)
|
|
*/
|
|
|
|
struct mthca_cq_buf {
|
|
union mthca_buf queue;
|
|
struct mthca_mr mr;
|
|
int is_direct;
|
|
};
|
|
|
|
struct mthca_cq_resize {
|
|
struct mthca_cq_buf buf;
|
|
int cqe;
|
|
enum {
|
|
CQ_RESIZE_ALLOC,
|
|
CQ_RESIZE_READY,
|
|
CQ_RESIZE_SWAPPED
|
|
} state;
|
|
};
|
|
|
|
struct mthca_cq {
|
|
struct ib_cq ibcq;
|
|
spinlock_t lock;
|
|
int refcount;
|
|
int cqn;
|
|
u32 cons_index;
|
|
struct mthca_cq_buf buf;
|
|
struct mthca_cq_resize *resize_buf;
|
|
int is_kernel;
|
|
|
|
/* Next fields are Arbel only */
|
|
int set_ci_db_index;
|
|
__be32 *set_ci_db;
|
|
int arm_db_index;
|
|
__be32 *arm_db;
|
|
int arm_sn;
|
|
|
|
wait_queue_head_t wait;
|
|
};
|
|
|
|
struct mthca_srq {
|
|
struct ib_srq ibsrq;
|
|
spinlock_t lock;
|
|
int refcount;
|
|
int srqn;
|
|
int max;
|
|
int max_gs;
|
|
int wqe_shift;
|
|
int first_free;
|
|
int last_free;
|
|
u16 counter; /* Arbel only */
|
|
int db_index; /* Arbel only */
|
|
__be32 *db; /* Arbel only */
|
|
void *last;
|
|
|
|
int is_direct;
|
|
u64 *wrid;
|
|
union mthca_buf queue;
|
|
struct mthca_mr mr;
|
|
|
|
wait_queue_head_t wait;
|
|
};
|
|
|
|
struct mthca_wq {
|
|
spinlock_t lock;
|
|
int max;
|
|
unsigned next_ind;
|
|
unsigned last_comp;
|
|
unsigned head;
|
|
unsigned tail;
|
|
void *last;
|
|
int max_gs;
|
|
int wqe_shift;
|
|
|
|
int db_index; /* Arbel only */
|
|
__be32 *db;
|
|
};
|
|
|
|
struct mthca_qp {
|
|
struct ib_qp ibqp;
|
|
int refcount;
|
|
u32 qpn;
|
|
int is_direct;
|
|
u8 port; /* for SQP and memfree use only */
|
|
u8 alt_port; /* for memfree use only */
|
|
u8 transport;
|
|
u8 state;
|
|
u8 atomic_rd_en;
|
|
u8 resp_depth;
|
|
|
|
struct mthca_mr mr;
|
|
|
|
struct mthca_wq rq;
|
|
struct mthca_wq sq;
|
|
enum ib_sig_type sq_policy;
|
|
int send_wqe_offset;
|
|
int max_inline_data;
|
|
|
|
u64 *wrid;
|
|
union mthca_buf queue;
|
|
|
|
wait_queue_head_t wait;
|
|
};
|
|
|
|
struct mthca_sqp {
|
|
struct mthca_qp qp;
|
|
int pkey_index;
|
|
u32 qkey;
|
|
u32 send_psn;
|
|
struct ib_ud_header ud_header;
|
|
int header_buf_size;
|
|
void *header_buf;
|
|
dma_addr_t header_dma;
|
|
};
|
|
|
|
static inline struct mthca_ucontext *to_mucontext(struct ib_ucontext *ibucontext)
|
|
{
|
|
return container_of(ibucontext, struct mthca_ucontext, ibucontext);
|
|
}
|
|
|
|
static inline struct mthca_fmr *to_mfmr(struct ib_fmr *ibmr)
|
|
{
|
|
return container_of(ibmr, struct mthca_fmr, ibmr);
|
|
}
|
|
|
|
static inline struct mthca_mr *to_mmr(struct ib_mr *ibmr)
|
|
{
|
|
return container_of(ibmr, struct mthca_mr, ibmr);
|
|
}
|
|
|
|
static inline struct mthca_pd *to_mpd(struct ib_pd *ibpd)
|
|
{
|
|
return container_of(ibpd, struct mthca_pd, ibpd);
|
|
}
|
|
|
|
static inline struct mthca_ah *to_mah(struct ib_ah *ibah)
|
|
{
|
|
return container_of(ibah, struct mthca_ah, ibah);
|
|
}
|
|
|
|
static inline struct mthca_cq *to_mcq(struct ib_cq *ibcq)
|
|
{
|
|
return container_of(ibcq, struct mthca_cq, ibcq);
|
|
}
|
|
|
|
static inline struct mthca_srq *to_msrq(struct ib_srq *ibsrq)
|
|
{
|
|
return container_of(ibsrq, struct mthca_srq, ibsrq);
|
|
}
|
|
|
|
static inline struct mthca_qp *to_mqp(struct ib_qp *ibqp)
|
|
{
|
|
return container_of(ibqp, struct mthca_qp, ibqp);
|
|
}
|
|
|
|
static inline struct mthca_sqp *to_msqp(struct mthca_qp *qp)
|
|
{
|
|
return container_of(qp, struct mthca_sqp, qp);
|
|
}
|
|
|
|
#endif /* MTHCA_PROVIDER_H */
|