ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1734

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	drivers/infiniband/hw/mthca/mthca_mad.c
Line in file:	176
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-10 20:24:52 UTC
Source:

  1/*
  2 * Copyright (c) 2004 Topspin Communications.  All rights reserved.
  3 * Copyright (c) 2005 Mellanox Technologies. All rights reserved.
  4 * Copyright (c) 2004 Voltaire, Inc. All rights reserved.
  5 *
  6 * This software is available to you under a choice of one of two
  7 * licenses.  You may choose to be licensed under the terms of the GNU
  8 * General Public License (GPL) Version 2, available from the file
  9 * COPYING in the main directory of this source tree, or the
 10 * OpenIB.org BSD license below:
 11 *
 12 *     Redistribution and use in source and binary forms, with or
 13 *     without modification, are permitted provided that the following
 14 *     conditions are met:
 15 *
 16 *      - Redistributions of source code must retain the above
 17 *        copyright notice, this list of conditions and the following
 18 *        disclaimer.
 19 *
 20 *      - Redistributions in binary form must reproduce the above
 21 *        copyright notice, this list of conditions and the following
 22 *        disclaimer in the documentation and/or other materials
 23 *        provided with the distribution.
 24 *
 25 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 26 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 27 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 28 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 29 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 30 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 31 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 32 * SOFTWARE.
 33 */
 34
 35#include <linux/string.h>
 36#include <linux/slab.h>
 37
 38#include <rdma/ib_verbs.h>
 39#include <rdma/ib_mad.h>
 40#include <rdma/ib_smi.h>
 41
 42#include "mthca_dev.h"
 43#include "mthca_cmd.h"
 44
 45enum {
 46        MTHCA_VENDOR_CLASS1 = 0x9,
 47        MTHCA_VENDOR_CLASS2 = 0xa
 48};
 49
 50static int mthca_update_rate(struct mthca_dev *dev, u8 port_num)
 51{
 52        struct ib_port_attr *tprops = NULL;
 53        int                  ret;
 54
 55        tprops = kmalloc(sizeof *tprops, GFP_KERNEL);
 56        if (!tprops)
 57                return -ENOMEM;
 58
 59        ret = ib_query_port(&dev->ib_dev, port_num, tprops);
 60        if (ret) {
 61                printk(KERN_WARNING "ib_query_port failed (%d) for %s port %d\n",
 62                       ret, dev->ib_dev.name, port_num);
 63                goto out;
 64        }
 65
 66        dev->rate[port_num - 1] = tprops->active_speed *
 67                                  ib_width_enum_to_int(tprops->active_width);
 68
 69out:
 70        kfree(tprops);
 71        return ret;
 72}
 73
 74static void update_sm_ah(struct mthca_dev *dev,
 75                         u8 port_num, u16 lid, u8 sl)
 76{
 77        struct ib_ah *new_ah;
 78        struct ib_ah_attr ah_attr;
 79        unsigned long flags;
 80
 81        if (!dev->send_agent[port_num - 1][0])
 82                return;
 83
 84        memset(&ah_attr, 0, sizeof ah_attr);
 85        ah_attr.dlid     = lid;
 86        ah_attr.sl       = sl;
 87        ah_attr.port_num = port_num;
 88
 89        new_ah = ib_create_ah(dev->send_agent[port_num - 1][0]->qp->pd,
 90                              &ah_attr);
 91        if (IS_ERR(new_ah))
 92                return;
 93
 94        spin_lock_irqsave(&dev->sm_lock, flags);
 95        if (dev->sm_ah[port_num - 1])
 96                ib_destroy_ah(dev->sm_ah[port_num - 1]);
 97        dev->sm_ah[port_num - 1] = new_ah;
 98        spin_unlock_irqrestore(&dev->sm_lock, flags);
 99}
100
101/*
102 * Snoop SM MADs for port info and P_Key table sets, so we can
103 * synthesize LID change and P_Key change events.
104 */
105static void smp_snoop(struct ib_device *ibdev,
106                      u8 port_num,
107                      struct ib_mad *mad)
108{
109        struct ib_event event;
110
111        if ((mad->mad_hdr.mgmt_class  == IB_MGMT_CLASS_SUBN_LID_ROUTED ||
112             mad->mad_hdr.mgmt_class  == IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE) &&
113            mad->mad_hdr.method     == IB_MGMT_METHOD_SET) {
114                if (mad->mad_hdr.attr_id == IB_SMP_ATTR_PORT_INFO) {
115                        struct ib_port_info *pinfo =
116                                (struct ib_port_info *) ((struct ib_smp *) mad)->data;
117
118                        mthca_update_rate(to_mdev(ibdev), port_num);
119                        update_sm_ah(to_mdev(ibdev), port_num,
120                                     be16_to_cpu(pinfo->sm_lid),
121                                     pinfo->neighbormtu_mastersmsl & 0xf);
122
123                        event.device           = ibdev;
124                        event.element.port_num = port_num;
125
126                        if (pinfo->clientrereg_resv_subnetto & 0x80)
127                                event.event    = IB_EVENT_CLIENT_REREGISTER;
128                        else
129                                event.event    = IB_EVENT_LID_CHANGE;
130
131                        ib_dispatch_event(&event);
132                }
133
134                if (mad->mad_hdr.attr_id == IB_SMP_ATTR_PKEY_TABLE) {
135                        event.device           = ibdev;
136                        event.event            = IB_EVENT_PKEY_CHANGE;
137                        event.element.port_num = port_num;
138                        ib_dispatch_event(&event);
139                }
140        }
141}
142
143static void node_desc_override(struct ib_device *dev,
144                               struct ib_mad *mad)
145{
146        if ((mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_LID_ROUTED ||
147             mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE) &&
148            mad->mad_hdr.method == IB_MGMT_METHOD_GET_RESP &&
149            mad->mad_hdr.attr_id == IB_SMP_ATTR_NODE_DESC) {
150                mutex_lock(&to_mdev(dev)->cap_mask_mutex);
151                memcpy(((struct ib_smp *) mad)->data, dev->node_desc, 64);
152                mutex_unlock(&to_mdev(dev)->cap_mask_mutex);
153        }
154}
155
156static void forward_trap(struct mthca_dev *dev,
157                         u8 port_num,
158                         struct ib_mad *mad)
159{
160        int qpn = mad->mad_hdr.mgmt_class != IB_MGMT_CLASS_SUBN_LID_ROUTED;
161        struct ib_mad_send_buf *send_buf;
162        struct ib_mad_agent *agent = dev->send_agent[port_num - 1][qpn];
163        int ret;
164        unsigned long flags;
165
166        if (agent) {
167                send_buf = ib_create_send_mad(agent, qpn, 0, 0, IB_MGMT_MAD_HDR,
168                                              IB_MGMT_MAD_DATA, GFP_ATOMIC);
169                /*
170                 * We rely here on the fact that MLX QPs don't use the
171                 * address handle after the send is posted (this is
172                 * wrong following the IB spec strictly, but we know
173                 * it's OK for our devices).
174                 */
175                spin_lock_irqsave(&dev->sm_lock, flags);
176                memcpy(send_buf->mad, mad, sizeof *mad);
177                if ((send_buf->ah = dev->sm_ah[port_num - 1]))
178                        ret = ib_post_send_mad(send_buf, NULL);
179                else
180                        ret = -EINVAL;
181                spin_unlock_irqrestore(&dev->sm_lock, flags);
182
183                if (ret)
184                        ib_free_send_mad(send_buf);
185        }
186}
187
188int mthca_process_mad(struct ib_device *ibdev,
189                      int mad_flags,
190                      u8 port_num,
191                      struct ib_wc *in_wc,
192                      struct ib_grh *in_grh,
193                      struct ib_mad *in_mad,
194                      struct ib_mad *out_mad)
195{
196        int err;
197        u8 status;
198        u16 slid = in_wc ? in_wc->slid : be16_to_cpu(IB_LID_PERMISSIVE);
199
200        /* Forward locally generated traps to the SM */
201        if (in_mad->mad_hdr.method == IB_MGMT_METHOD_TRAP &&
202            slid == 0) {
203                forward_trap(to_mdev(ibdev), port_num, in_mad);
204                return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_CONSUMED;
205        }
206
207        /*
208         * Only handle SM gets, sets and trap represses for SM class
209         *
210         * Only handle PMA and Mellanox vendor-specific class gets and
211         * sets for other classes.
212         */
213        if (in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_LID_ROUTED ||
214            in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE) {
215                if (in_mad->mad_hdr.method   != IB_MGMT_METHOD_GET &&
216                    in_mad->mad_hdr.method   != IB_MGMT_METHOD_SET &&
217                    in_mad->mad_hdr.method   != IB_MGMT_METHOD_TRAP_REPRESS)
218                        return IB_MAD_RESULT_SUCCESS;
219
220                /*
221                 * Don't process SMInfo queries or vendor-specific
222                 * MADs -- the SMA can't handle them.
223                 */
224                if (in_mad->mad_hdr.attr_id == IB_SMP_ATTR_SM_INFO ||
225                    ((in_mad->mad_hdr.attr_id & IB_SMP_ATTR_VENDOR_MASK) ==
226                     IB_SMP_ATTR_VENDOR_MASK))
227                        return IB_MAD_RESULT_SUCCESS;
228        } else if (in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_PERF_MGMT ||
229                   in_mad->mad_hdr.mgmt_class == MTHCA_VENDOR_CLASS1     ||
230                   in_mad->mad_hdr.mgmt_class == MTHCA_VENDOR_CLASS2) {
231                if (in_mad->mad_hdr.method  != IB_MGMT_METHOD_GET &&
232                    in_mad->mad_hdr.method  != IB_MGMT_METHOD_SET)
233                        return IB_MAD_RESULT_SUCCESS;
234        } else
235                return IB_MAD_RESULT_SUCCESS;
236
237        err = mthca_MAD_IFC(to_mdev(ibdev),
238                            mad_flags & IB_MAD_IGNORE_MKEY,
239                            mad_flags & IB_MAD_IGNORE_BKEY,
240                            port_num, in_wc, in_grh, in_mad, out_mad,
241                            &status);
242        if (err) {
243                mthca_err(to_mdev(ibdev), "MAD_IFC failed\n");
244                return IB_MAD_RESULT_FAILURE;
245        }
246        if (status == MTHCA_CMD_STAT_BAD_PKT)
247                return IB_MAD_RESULT_SUCCESS;
248        if (status) {
249                mthca_err(to_mdev(ibdev), "MAD_IFC returned status %02x\n",
250                          status);
251                return IB_MAD_RESULT_FAILURE;
252        }
253
254        if (!out_mad->mad_hdr.status) {
255                smp_snoop(ibdev, port_num, in_mad);
256                node_desc_override(ibdev, out_mad);
257        }
258
259        /* set return bit in status of directed route responses */
260        if (in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE)
261                out_mad->mad_hdr.status |= cpu_to_be16(1 << 15);
262
263        if (in_mad->mad_hdr.method == IB_MGMT_METHOD_TRAP_REPRESS)
264                /* no response for trap repress */
265                return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_CONSUMED;
266
267        return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY;
268}
269
270static void send_handler(struct ib_mad_agent *agent,
271                         struct ib_mad_send_wc *mad_send_wc)
272{
273        ib_free_send_mad(mad_send_wc->send_buf);
274}
275
276int mthca_create_agents(struct mthca_dev *dev)
277{
278        struct ib_mad_agent *agent;
279        int p, q;
280        int ret;
281
282        spin_lock_init(&dev->sm_lock);
283
284        for (p = 0; p < dev->limits.num_ports; ++p)
285                for (q = 0; q <= 1; ++q) {
286                        agent = ib_register_mad_agent(&dev->ib_dev, p + 1,
287                                                      q ? IB_QPT_GSI : IB_QPT_SMI,
288                                                      NULL, 0, send_handler,
289                                                      NULL, NULL);
290                        if (IS_ERR(agent)) {
291                                ret = PTR_ERR(agent);
292                                goto err;
293                        }
294                        dev->send_agent[p][q] = agent;
295                }
296
297
298        for (p = 1; p <= dev->limits.num_ports; ++p) {
299                ret = mthca_update_rate(dev, p);
300                if (ret) {
301                        mthca_err(dev, "Failed to obtain port %d rate."
302                                  " aborting.\n", p);
303                        goto err;
304                }
305        }
306
307        return 0;
308
309err:
310        for (p = 0; p < dev->limits.num_ports; ++p)
311                for (q = 0; q <= 1; ++q)
312                        if (dev->send_agent[p][q])
313                                ib_unregister_mad_agent(dev->send_agent[p][q]);
314
315        return ret;
316}
317
318void mthca_free_agents(struct mthca_dev *dev)
319{
320        struct ib_mad_agent *agent;
321        int p, q;
322
323        for (p = 0; p < dev->limits.num_ports; ++p) {
324                for (q = 0; q <= 1; ++q) {
325                        agent = dev->send_agent[p][q];
326                        dev->send_agent[p][q] = NULL;
327                        ib_unregister_mad_agent(agent);
328                }
329
330                if (dev->sm_ah[p])
331                        ib_destroy_ah(dev->sm_ah[p]);
332        }
333}