net/mlx5: Add a timeout to acquire the command queue semaphore

PlaidCat · PlaidCat · commit ffede8d2065b · 2024-10-22T16:12:17.000-04:00
jira LE-1907 cve CVE-2024-38556 Rebuild_History Non-Buildable kernel-5.14.0-427.40.1.el9_4 commit-author Akiva Goldberger <agoldberger@nvidia.com> commit 485d65e Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/485d65e1.failed Prevent forced completion handling on an entry that has not yet been assigned an index, causing an out of bounds access on idx = -22. Instead of waiting indefinitely for the sem, blocking flow now waits for index to be allocated or a sem acquisition timeout before beginning the timer for FW completion. Kernel log example: mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion Fixes: 8e715cd ("net/mlx5: Set command entry semaphore up once got index free") Signed-off-by: Akiva Goldberger <agoldberger@nvidia.com> Reviewed-by: Moshe Shemesh <moshe@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Link: https://lore.kernel.org/r/20240509112951.590184-5-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 485d65e) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/net/ethernet/mellanox/mlx5/core/cmd.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/485d65e1.failed b/ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/485d65e1.failed
@@ -0,0 +1,119 @@
+net/mlx5: Add a timeout to acquire the command queue semaphore
+
+jira LE-1907
+cve CVE-2024-38556
+Rebuild_History Non-Buildable kernel-5.14.0-427.40.1.el9_4
+commit-author Akiva Goldberger <agoldberger@nvidia.com>
+commit 485d65e1357123a697c591a5aeb773994b247ad7
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.40.1.el9_4/485d65e1.failed
+
+Prevent forced completion handling on an entry that has not yet been
+assigned an index, causing an out of bounds access on idx = -22.
+Instead of waiting indefinitely for the sem, blocking flow now waits for
+index to be allocated or a sem acquisition timeout before beginning the
+timer for FW completion.
+
+Kernel log example:
+mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion
+
+Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free")
+	Signed-off-by: Akiva Goldberger <agoldberger@nvidia.com>
+	Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/20240509112951.590184-5-tariqt@nvidia.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 485d65e1357123a697c591a5aeb773994b247ad7)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+diff --cc drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index d532883b42d7,511e7fee39ac..000000000000
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@@ -970,14 -974,28 +969,35 @@@ static void cmd_work_handler(struct wor
+  	int alloc_ret;
+  	int cmd_mode;
+  
+- 	dev = container_of(cmd, struct mlx5_core_dev, cmd);
+- 	cb_timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD));
+- 
+  	complete(&ent->handling);
+++<<<<<<< HEAD
+ +	sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
+ +	down(sem);
+ +	if (!ent->page_queue) {
+ +		alloc_ret = cmd_alloc_index(cmd);
+++=======
++ 
++ 	dev = container_of(cmd, struct mlx5_core_dev, cmd);
++ 	timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD));
++ 
++ 	if (!ent->page_queue) {
++ 		if (down_timeout(&cmd->vars.sem, timeout)) {
++ 			mlx5_core_warn(dev, "%s(0x%x) timed out while waiting for a slot.\n",
++ 				       mlx5_command_str(ent->op), ent->op);
++ 			if (ent->callback) {
++ 				ent->callback(-EBUSY, ent->context);
++ 				mlx5_free_cmd_msg(dev, ent->out);
++ 				free_msg(dev, ent->in);
++ 				cmd_ent_put(ent);
++ 			} else {
++ 				ent->ret = -EBUSY;
++ 				complete(&ent->done);
++ 			}
++ 			complete(&ent->slotted);
++ 			return;
++ 		}
++ 		alloc_ret = cmd_alloc_index(cmd, ent);
+++>>>>>>> 485d65e13571 (net/mlx5: Add a timeout to acquire the command queue semaphore)
+  		if (alloc_ret < 0) {
+  			mlx5_core_err_rl(dev, "failed to allocate command entry\n");
+  			if (ent->callback) {
+@@@ -989,18 -1007,20 +1009,28 @@@
+  				ent->ret = -EAGAIN;
+  				complete(&ent->done);
+  			}
+- 			up(sem);
++ 			up(&cmd->vars.sem);
+  			return;
+  		}
+ +		ent->idx = alloc_ret;
+  	} else {
+++<<<<<<< HEAD
+ +		ent->idx = cmd->max_reg_cmds;
+++=======
++ 		down(&cmd->vars.pages_sem);
++ 		ent->idx = cmd->vars.max_reg_cmds;
+++>>>>>>> 485d65e13571 (net/mlx5: Add a timeout to acquire the command queue semaphore)
+  		spin_lock_irqsave(&cmd->alloc_lock, flags);
+ -		clear_bit(ent->idx, &cmd->vars.bitmask);
+ -		cmd->ent_arr[ent->idx] = ent;
+ +		clear_bit(ent->idx, &cmd->bitmask);
+  		spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+  	}
+  
+++<<<<<<< HEAD
+ +	cmd->ent_arr[ent->idx] = ent;
+++=======
++ 	complete(&ent->slotted);
++ 
+++>>>>>>> 485d65e13571 (net/mlx5: Add a timeout to acquire the command queue semaphore)
+  	lay = get_inst(cmd, ent->idx);
+  	ent->lay = lay;
+  	memset(lay, 0, sizeof(*lay));
+* Unmerged path drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 4b9626cd83e4..22fc69e3c0bc 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -851,6 +851,7 @@ struct mlx5_cmd_work_ent {
+ 	void		       *context;
+ 	int			idx;
+ 	struct completion	handling;
++	struct completion	slotted;
+ 	struct completion	done;
+ 	struct mlx5_cmd        *cmd;
+ 	struct work_struct	work;
