ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1827

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	drivers/net/mlx4/cmd.c
Line in file:	295
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

  1/*
  2 * Copyright (c) 2004, 2005 Topspin Communications.  All rights reserved.
  3 * Copyright (c) 2005, 2006, 2007, 2008 Mellanox Technologies. All rights reserved.
  4 * Copyright (c) 2005, 2006, 2007 Cisco Systems, Inc.  All rights reserved.
  5 *
  6 * This software is available to you under a choice of one of two
  7 * licenses.  You may choose to be licensed under the terms of the GNU
  8 * General Public License (GPL) Version 2, available from the file
  9 * COPYING in the main directory of this source tree, or the
 10 * OpenIB.org BSD license below:
 11 *
 12 *     Redistribution and use in source and binary forms, with or
 13 *     without modification, are permitted provided that the following
 14 *     conditions are met:
 15 *
 16 *      - Redistributions of source code must retain the above
 17 *        copyright notice, this list of conditions and the following
 18 *        disclaimer.
 19 *
 20 *      - Redistributions in binary form must reproduce the above
 21 *        copyright notice, this list of conditions and the following
 22 *        disclaimer in the documentation and/or other materials
 23 *        provided with the distribution.
 24 *
 25 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 26 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 27 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 28 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 29 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 30 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 31 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 32 * SOFTWARE.
 33 */
 34
 35#include <linux/sched.h>
 36#include <linux/pci.h>
 37#include <linux/errno.h>
 38
 39#include <linux/mlx4/cmd.h>
 40
 41#include <asm/io.h>
 42
 43#include "mlx4.h"
 44
 45#define CMD_POLL_TOKEN 0xffff
 46
 47enum {
 48        /* command completed successfully: */
 49        CMD_STAT_OK                = 0x00,
 50        /* Internal error (such as a bus error) occurred while processing command: */
 51        CMD_STAT_INTERNAL_ERR        = 0x01,
 52        /* Operation/command not supported or opcode modifier not supported: */
 53        CMD_STAT_BAD_OP                = 0x02,
 54        /* Parameter not supported or parameter out of range: */
 55        CMD_STAT_BAD_PARAM        = 0x03,
 56        /* System not enabled or bad system state: */
 57        CMD_STAT_BAD_SYS_STATE        = 0x04,
 58        /* Attempt to access reserved or unallocaterd resource: */
 59        CMD_STAT_BAD_RESOURCE        = 0x05,
 60        /* Requested resource is currently executing a command, or is otherwise busy: */
 61        CMD_STAT_RESOURCE_BUSY        = 0x06,
 62        /* Required capability exceeds device limits: */
 63        CMD_STAT_EXCEED_LIM        = 0x08,
 64        /* Resource is not in the appropriate state or ownership: */
 65        CMD_STAT_BAD_RES_STATE        = 0x09,
 66        /* Index out of range: */
 67        CMD_STAT_BAD_INDEX        = 0x0a,
 68        /* FW image corrupted: */
 69        CMD_STAT_BAD_NVMEM        = 0x0b,
 70        /* Error in ICM mapping (e.g. not enough auxiliary ICM pages to execute command): */
 71        CMD_STAT_ICM_ERROR        = 0x0c,
 72        /* Attempt to modify a QP/EE which is not in the presumed state: */
 73        CMD_STAT_BAD_QP_STATE   = 0x10,
 74        /* Bad segment parameters (Address/Size): */
 75        CMD_STAT_BAD_SEG_PARAM        = 0x20,
 76        /* Memory Region has Memory Windows bound to: */
 77        CMD_STAT_REG_BOUND        = 0x21,
 78        /* HCA local attached memory not present: */
 79        CMD_STAT_LAM_NOT_PRE        = 0x22,
 80        /* Bad management packet (silently discarded): */
 81        CMD_STAT_BAD_PKT        = 0x30,
 82        /* More outstanding CQEs in CQ than new CQ size: */
 83        CMD_STAT_BAD_SIZE        = 0x40
 84};
 85
 86enum {
 87        HCR_IN_PARAM_OFFSET        = 0x00,
 88        HCR_IN_MODIFIER_OFFSET        = 0x08,
 89        HCR_OUT_PARAM_OFFSET        = 0x0c,
 90        HCR_TOKEN_OFFSET        = 0x14,
 91        HCR_STATUS_OFFSET        = 0x18,
 92
 93        HCR_OPMOD_SHIFT                = 12,
 94        HCR_T_BIT                = 21,
 95        HCR_E_BIT                = 22,
 96        HCR_GO_BIT                = 23
 97};
 98
 99enum {
100        GO_BIT_TIMEOUT_MSECS        = 10000
101};
102
103struct mlx4_cmd_context {
104        struct completion        done;
105        int                        result;
106        int                        next;
107        u64                        out_param;
108        u16                        token;
109};
110
111static int mlx4_status_to_errno(u8 status)
112{
113        static const int trans_table[] = {
114                [CMD_STAT_INTERNAL_ERR]          = -EIO,
115                [CMD_STAT_BAD_OP]          = -EPERM,
116                [CMD_STAT_BAD_PARAM]          = -EINVAL,
117                [CMD_STAT_BAD_SYS_STATE]  = -ENXIO,
118                [CMD_STAT_BAD_RESOURCE]          = -EBADF,
119                [CMD_STAT_RESOURCE_BUSY]  = -EBUSY,
120                [CMD_STAT_EXCEED_LIM]          = -ENOMEM,
121                [CMD_STAT_BAD_RES_STATE]  = -EBADF,
122                [CMD_STAT_BAD_INDEX]          = -EBADF,
123                [CMD_STAT_BAD_NVMEM]          = -EFAULT,
124                [CMD_STAT_ICM_ERROR]          = -ENFILE,
125                [CMD_STAT_BAD_QP_STATE]   = -EINVAL,
126                [CMD_STAT_BAD_SEG_PARAM]  = -EFAULT,
127                [CMD_STAT_REG_BOUND]          = -EBUSY,
128                [CMD_STAT_LAM_NOT_PRE]          = -EAGAIN,
129                [CMD_STAT_BAD_PKT]          = -EINVAL,
130                [CMD_STAT_BAD_SIZE]          = -ENOMEM,
131        };
132
133        if (status >= ARRAY_SIZE(trans_table) ||
134            (status != CMD_STAT_OK && trans_table[status] == 0))
135                return -EIO;
136
137        return trans_table[status];
138}
139
140static int cmd_pending(struct mlx4_dev *dev)
141{
142        u32 status = readl(mlx4_priv(dev)->cmd.hcr + HCR_STATUS_OFFSET);
143
144        return (status & swab32(1 << HCR_GO_BIT)) ||
145                (mlx4_priv(dev)->cmd.toggle ==
146                 !!(status & swab32(1 << HCR_T_BIT)));
147}
148
149static int mlx4_cmd_post(struct mlx4_dev *dev, u64 in_param, u64 out_param,
150                         u32 in_modifier, u8 op_modifier, u16 op, u16 token,
151                         int event)
152{
153        struct mlx4_cmd *cmd = &mlx4_priv(dev)->cmd;
154        u32 __iomem *hcr = cmd->hcr;
155        int ret = -EAGAIN;
156        unsigned long end;
157
158        mutex_lock(&cmd->hcr_mutex);
159
160        end = jiffies;
161        if (event)
162                end += msecs_to_jiffies(GO_BIT_TIMEOUT_MSECS);
163
164        while (cmd_pending(dev)) {
165                if (time_after_eq(jiffies, end))
166                        goto out;
167                cond_resched();
168        }
169
170        /*
171         * We use writel (instead of something like memcpy_toio)
172         * because writes of less than 32 bits to the HCR don't work
173         * (and some architectures such as ia64 implement memcpy_toio
174         * in terms of writeb).
175         */
176        __raw_writel((__force u32) cpu_to_be32(in_param >> 32),                  hcr + 0);
177        __raw_writel((__force u32) cpu_to_be32(in_param & 0xfffffffful),  hcr + 1);
178        __raw_writel((__force u32) cpu_to_be32(in_modifier),                  hcr + 2);
179        __raw_writel((__force u32) cpu_to_be32(out_param >> 32),          hcr + 3);
180        __raw_writel((__force u32) cpu_to_be32(out_param & 0xfffffffful), hcr + 4);
181        __raw_writel((__force u32) cpu_to_be32(token << 16),                  hcr + 5);
182
183        /* __raw_writel may not order writes. */
184        wmb();
185
186        __raw_writel((__force u32) cpu_to_be32((1 << HCR_GO_BIT)                |
187                                               (cmd->toggle << HCR_T_BIT)        |
188                                               (event ? (1 << HCR_E_BIT) : 0)        |
189                                               (op_modifier << HCR_OPMOD_SHIFT) |
190                                               op),                          hcr + 6);
191
192        /*
193         * Make sure that our HCR writes don't get mixed in with
194         * writes from another CPU starting a FW command.
195         */
196        mmiowb();
197
198        cmd->toggle = cmd->toggle ^ 1;
199
200        ret = 0;
201
202out:
203        mutex_unlock(&cmd->hcr_mutex);
204        return ret;
205}
206
207static int mlx4_cmd_poll(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
208                         int out_is_imm, u32 in_modifier, u8 op_modifier,
209                         u16 op, unsigned long timeout)
210{
211        struct mlx4_priv *priv = mlx4_priv(dev);
212        void __iomem *hcr = priv->cmd.hcr;
213        int err = 0;
214        unsigned long end;
215
216        down(&priv->cmd.poll_sem);
217
218        err = mlx4_cmd_post(dev, in_param, out_param ? *out_param : 0,
219                            in_modifier, op_modifier, op, CMD_POLL_TOKEN, 0);
220        if (err)
221                goto out;
222
223        end = msecs_to_jiffies(timeout) + jiffies;
224        while (cmd_pending(dev) && time_before(jiffies, end))
225                cond_resched();
226
227        if (cmd_pending(dev)) {
228                err = -ETIMEDOUT;
229                goto out;
230        }
231
232        if (out_is_imm)
233                *out_param =
234                        (u64) be32_to_cpu((__force __be32)
235                                          __raw_readl(hcr + HCR_OUT_PARAM_OFFSET)) << 32 |
236                        (u64) be32_to_cpu((__force __be32)
237                                          __raw_readl(hcr + HCR_OUT_PARAM_OFFSET + 4));
238
239        err = mlx4_status_to_errno(be32_to_cpu((__force __be32)
240                                               __raw_readl(hcr + HCR_STATUS_OFFSET)) >> 24);
241
242out:
243        up(&priv->cmd.poll_sem);
244        return err;
245}
246
247void mlx4_cmd_event(struct mlx4_dev *dev, u16 token, u8 status, u64 out_param)
248{
249        struct mlx4_priv *priv = mlx4_priv(dev);
250        struct mlx4_cmd_context *context =
251                &priv->cmd.context[token & priv->cmd.token_mask];
252
253        /* previously timed out command completing at long last */
254        if (token != context->token)
255                return;
256
257        context->result    = mlx4_status_to_errno(status);
258        context->out_param = out_param;
259
260        complete(&context->done);
261}
262
263static int mlx4_cmd_wait(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
264                         int out_is_imm, u32 in_modifier, u8 op_modifier,
265                         u16 op, unsigned long timeout)
266{
267        struct mlx4_cmd *cmd = &mlx4_priv(dev)->cmd;
268        struct mlx4_cmd_context *context;
269        int err = 0;
270
271        down(&cmd->event_sem);
272
273        spin_lock(&cmd->context_lock);
274        BUG_ON(cmd->free_head < 0);
275        context = &cmd->context[cmd->free_head];
276        context->token += cmd->token_mask + 1;
277        cmd->free_head = context->next;
278        spin_unlock(&cmd->context_lock);
279
280        init_completion(&context->done);
281
282        mlx4_cmd_post(dev, in_param, out_param ? *out_param : 0,
283                      in_modifier, op_modifier, op, context->token, 1);
284
285        if (!wait_for_completion_timeout(&context->done, msecs_to_jiffies(timeout))) {
286                err = -EBUSY;
287                goto out;
288        }
289
290        err = context->result;
291        if (err)
292                goto out;
293
294        if (out_is_imm)
295                *out_param = context->out_param;
296
297out:
298        spin_lock(&cmd->context_lock);
299        context->next = cmd->free_head;
300        cmd->free_head = context - cmd->context;
301        spin_unlock(&cmd->context_lock);
302
303        up(&cmd->event_sem);
304        return err;
305}
306
307int __mlx4_cmd(struct mlx4_dev *dev, u64 in_param, u64 *out_param,
308               int out_is_imm, u32 in_modifier, u8 op_modifier,
309               u16 op, unsigned long timeout)
310{
311        if (mlx4_priv(dev)->cmd.use_events)
312                return mlx4_cmd_wait(dev, in_param, out_param, out_is_imm,
313                                     in_modifier, op_modifier, op, timeout);
314        else
315                return mlx4_cmd_poll(dev, in_param, out_param, out_is_imm,
316                                     in_modifier, op_modifier, op, timeout);
317}
318EXPORT_SYMBOL_GPL(__mlx4_cmd);
319
320int mlx4_cmd_init(struct mlx4_dev *dev)
321{
322        struct mlx4_priv *priv = mlx4_priv(dev);
323
324        mutex_init(&priv->cmd.hcr_mutex);
325        sema_init(&priv->cmd.poll_sem, 1);
326        priv->cmd.use_events = 0;
327        priv->cmd.toggle     = 1;
328
329        priv->cmd.hcr = ioremap(pci_resource_start(dev->pdev, 0) + MLX4_HCR_BASE,
330                                MLX4_HCR_SIZE);
331        if (!priv->cmd.hcr) {
332                mlx4_err(dev, "Couldn't map command register.");
333                return -ENOMEM;
334        }
335
336        priv->cmd.pool = pci_pool_create("mlx4_cmd", dev->pdev,
337                                         MLX4_MAILBOX_SIZE,
338                                         MLX4_MAILBOX_SIZE, 0);
339        if (!priv->cmd.pool) {
340                iounmap(priv->cmd.hcr);
341                return -ENOMEM;
342        }
343
344        return 0;
345}
346
347void mlx4_cmd_cleanup(struct mlx4_dev *dev)
348{
349        struct mlx4_priv *priv = mlx4_priv(dev);
350
351        pci_pool_destroy(priv->cmd.pool);
352        iounmap(priv->cmd.hcr);
353}
354
355/*
356 * Switch to using events to issue FW commands (can only be called
357 * after event queue for command events has been initialized).
358 */
359int mlx4_cmd_use_events(struct mlx4_dev *dev)
360{
361        struct mlx4_priv *priv = mlx4_priv(dev);
362        int i;
363
364        priv->cmd.context = kmalloc(priv->cmd.max_cmds *
365                                   sizeof (struct mlx4_cmd_context),
366                                   GFP_KERNEL);
367        if (!priv->cmd.context)
368                return -ENOMEM;
369
370        for (i = 0; i < priv->cmd.max_cmds; ++i) {
371                priv->cmd.context[i].token = i;
372                priv->cmd.context[i].next  = i + 1;
373        }
374
375        priv->cmd.context[priv->cmd.max_cmds - 1].next = -1;
376        priv->cmd.free_head = 0;
377
378        sema_init(&priv->cmd.event_sem, priv->cmd.max_cmds);
379        spin_lock_init(&priv->cmd.context_lock);
380
381        for (priv->cmd.token_mask = 1;
382             priv->cmd.token_mask < priv->cmd.max_cmds;
383             priv->cmd.token_mask <<= 1)
384                ; /* nothing */
385        --priv->cmd.token_mask;
386
387        priv->cmd.use_events = 1;
388
389        down(&priv->cmd.poll_sem);
390
391        return 0;
392}
393
394/*
395 * Switch back to polling (used when shutting down the device)
396 */
397void mlx4_cmd_use_polling(struct mlx4_dev *dev)
398{
399        struct mlx4_priv *priv = mlx4_priv(dev);
400        int i;
401
402        priv->cmd.use_events = 0;
403
404        for (i = 0; i < priv->cmd.max_cmds; ++i)
405                down(&priv->cmd.event_sem);
406
407        kfree(priv->cmd.context);
408
409        up(&priv->cmd.poll_sem);
410}
411
412struct mlx4_cmd_mailbox *mlx4_alloc_cmd_mailbox(struct mlx4_dev *dev)
413{
414        struct mlx4_cmd_mailbox *mailbox;
415
416        mailbox = kmalloc(sizeof *mailbox, GFP_KERNEL);
417        if (!mailbox)
418                return ERR_PTR(-ENOMEM);
419
420        mailbox->buf = pci_pool_alloc(mlx4_priv(dev)->cmd.pool, GFP_KERNEL,
421                                      &mailbox->dma);
422        if (!mailbox->buf) {
423                kfree(mailbox);
424                return ERR_PTR(-ENOMEM);
425        }
426
427        return mailbox;
428}
429EXPORT_SYMBOL_GPL(mlx4_alloc_cmd_mailbox);
430
431void mlx4_free_cmd_mailbox(struct mlx4_dev *dev, struct mlx4_cmd_mailbox *mailbox)
432{
433        if (!mailbox)
434                return;
435
436        pci_pool_free(mlx4_priv(dev)->cmd.pool, mailbox->buf, mailbox->dma);
437        kfree(mailbox);
438}
439EXPORT_SYMBOL_GPL(mlx4_free_cmd_mailbox);