ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 562

User:	Jiri Slaby
Error type:	Double Free
Error type description:	Freeing function is called twice on the same address
File location:	drivers/infiniband/core/uverbs_main.c
Line in file:	794
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Stanse (1.2)
Entered:	2011-11-07 22:19:31 UTC
Source:

  1/*
  2 * Copyright (c) 2005 Topspin Communications.  All rights reserved.
  3 * Copyright (c) 2005, 2006 Cisco Systems.  All rights reserved.
  4 * Copyright (c) 2005 Mellanox Technologies. All rights reserved.
  5 * Copyright (c) 2005 Voltaire, Inc. All rights reserved.
  6 * Copyright (c) 2005 PathScale, Inc. All rights reserved.
  7 *
  8 * This software is available to you under a choice of one of two
  9 * licenses.  You may choose to be licensed under the terms of the GNU
 10 * General Public License (GPL) Version 2, available from the file
 11 * COPYING in the main directory of this source tree, or the
 12 * OpenIB.org BSD license below:
 13 *
 14 *     Redistribution and use in source and binary forms, with or
 15 *     without modification, are permitted provided that the following
 16 *     conditions are met:
 17 *
 18 *      - Redistributions of source code must retain the above
 19 *        copyright notice, this list of conditions and the following
 20 *        disclaimer.
 21 *
 22 *      - Redistributions in binary form must reproduce the above
 23 *        copyright notice, this list of conditions and the following
 24 *        disclaimer in the documentation and/or other materials
 25 *        provided with the distribution.
 26 *
 27 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 28 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 29 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 30 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 31 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 32 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 33 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 34 * SOFTWARE.
 35 */
 36
 37#include <linux/module.h>
 38#include <linux/init.h>
 39#include <linux/device.h>
 40#include <linux/err.h>
 41#include <linux/fs.h>
 42#include <linux/poll.h>
 43#include <linux/file.h>
 44#include <linux/mount.h>
 45#include <linux/cdev.h>
 46
 47#include <asm/uaccess.h>
 48
 49#include "uverbs.h"
 50
 51MODULE_AUTHOR("Roland Dreier");
 52MODULE_DESCRIPTION("InfiniBand userspace verbs access");
 53MODULE_LICENSE("Dual BSD/GPL");
 54
 55#define INFINIBANDEVENTFS_MAGIC        0x49426576        /* "IBev" */
 56
 57enum {
 58        IB_UVERBS_MAJOR       = 231,
 59        IB_UVERBS_BASE_MINOR  = 192,
 60        IB_UVERBS_MAX_DEVICES = 32
 61};
 62
 63#define IB_UVERBS_BASE_DEV        MKDEV(IB_UVERBS_MAJOR, IB_UVERBS_BASE_MINOR)
 64
 65static struct class *uverbs_class;
 66
 67DEFINE_SPINLOCK(ib_uverbs_idr_lock);
 68DEFINE_IDR(ib_uverbs_pd_idr);
 69DEFINE_IDR(ib_uverbs_mr_idr);
 70DEFINE_IDR(ib_uverbs_mw_idr);
 71DEFINE_IDR(ib_uverbs_ah_idr);
 72DEFINE_IDR(ib_uverbs_cq_idr);
 73DEFINE_IDR(ib_uverbs_qp_idr);
 74DEFINE_IDR(ib_uverbs_srq_idr);
 75
 76static spinlock_t map_lock;
 77static struct ib_uverbs_device *dev_table[IB_UVERBS_MAX_DEVICES];
 78static DECLARE_BITMAP(dev_map, IB_UVERBS_MAX_DEVICES);
 79
 80static ssize_t (*uverbs_cmd_table[])(struct ib_uverbs_file *file,
 81                                     const char __user *buf, int in_len,
 82                                     int out_len) = {
 83        [IB_USER_VERBS_CMD_GET_CONTEXT]           = ib_uverbs_get_context,
 84        [IB_USER_VERBS_CMD_QUERY_DEVICE]          = ib_uverbs_query_device,
 85        [IB_USER_VERBS_CMD_QUERY_PORT]            = ib_uverbs_query_port,
 86        [IB_USER_VERBS_CMD_ALLOC_PD]              = ib_uverbs_alloc_pd,
 87        [IB_USER_VERBS_CMD_DEALLOC_PD]            = ib_uverbs_dealloc_pd,
 88        [IB_USER_VERBS_CMD_REG_MR]                = ib_uverbs_reg_mr,
 89        [IB_USER_VERBS_CMD_DEREG_MR]              = ib_uverbs_dereg_mr,
 90        [IB_USER_VERBS_CMD_CREATE_COMP_CHANNEL] = ib_uverbs_create_comp_channel,
 91        [IB_USER_VERBS_CMD_CREATE_CQ]             = ib_uverbs_create_cq,
 92        [IB_USER_VERBS_CMD_RESIZE_CQ]             = ib_uverbs_resize_cq,
 93        [IB_USER_VERBS_CMD_POLL_CQ]             = ib_uverbs_poll_cq,
 94        [IB_USER_VERBS_CMD_REQ_NOTIFY_CQ]             = ib_uverbs_req_notify_cq,
 95        [IB_USER_VERBS_CMD_DESTROY_CQ]            = ib_uverbs_destroy_cq,
 96        [IB_USER_VERBS_CMD_CREATE_QP]             = ib_uverbs_create_qp,
 97        [IB_USER_VERBS_CMD_QUERY_QP]             = ib_uverbs_query_qp,
 98        [IB_USER_VERBS_CMD_MODIFY_QP]             = ib_uverbs_modify_qp,
 99        [IB_USER_VERBS_CMD_DESTROY_QP]            = ib_uverbs_destroy_qp,
100        [IB_USER_VERBS_CMD_POST_SEND]            = ib_uverbs_post_send,
101        [IB_USER_VERBS_CMD_POST_RECV]            = ib_uverbs_post_recv,
102        [IB_USER_VERBS_CMD_POST_SRQ_RECV]            = ib_uverbs_post_srq_recv,
103        [IB_USER_VERBS_CMD_CREATE_AH]            = ib_uverbs_create_ah,
104        [IB_USER_VERBS_CMD_DESTROY_AH]            = ib_uverbs_destroy_ah,
105        [IB_USER_VERBS_CMD_ATTACH_MCAST]          = ib_uverbs_attach_mcast,
106        [IB_USER_VERBS_CMD_DETACH_MCAST]          = ib_uverbs_detach_mcast,
107        [IB_USER_VERBS_CMD_CREATE_SRQ]            = ib_uverbs_create_srq,
108        [IB_USER_VERBS_CMD_MODIFY_SRQ]            = ib_uverbs_modify_srq,
109        [IB_USER_VERBS_CMD_QUERY_SRQ]             = ib_uverbs_query_srq,
110        [IB_USER_VERBS_CMD_DESTROY_SRQ]           = ib_uverbs_destroy_srq,
111};
112
113static struct vfsmount *uverbs_event_mnt;
114
115static void ib_uverbs_add_one(struct ib_device *device);
116static void ib_uverbs_remove_one(struct ib_device *device);
117
118static void ib_uverbs_release_dev(struct kref *ref)
119{
120        struct ib_uverbs_device *dev =
121                container_of(ref, struct ib_uverbs_device, ref);
122
123        complete(&dev->comp);
124}
125
126static void ib_uverbs_release_event_file(struct kref *ref)
127{
128        struct ib_uverbs_event_file *file =
129                container_of(ref, struct ib_uverbs_event_file, ref);
130
131        kfree(file);
132}
133
134void ib_uverbs_release_ucq(struct ib_uverbs_file *file,
135                          struct ib_uverbs_event_file *ev_file,
136                          struct ib_ucq_object *uobj)
137{
138        struct ib_uverbs_event *evt, *tmp;
139
140        if (ev_file) {
141                spin_lock_irq(&ev_file->lock);
142                list_for_each_entry_safe(evt, tmp, &uobj->comp_list, obj_list) {
143                        list_del(&evt->list);
144                        kfree(evt);
145                }
146                spin_unlock_irq(&ev_file->lock);
147
148                kref_put(&ev_file->ref, ib_uverbs_release_event_file);
149        }
150
151        spin_lock_irq(&file->async_file->lock);
152        list_for_each_entry_safe(evt, tmp, &uobj->async_list, obj_list) {
153                list_del(&evt->list);
154                kfree(evt);
155        }
156        spin_unlock_irq(&file->async_file->lock);
157}
158
159void ib_uverbs_release_uevent(struct ib_uverbs_file *file,
160                              struct ib_uevent_object *uobj)
161{
162        struct ib_uverbs_event *evt, *tmp;
163
164        spin_lock_irq(&file->async_file->lock);
165        list_for_each_entry_safe(evt, tmp, &uobj->event_list, obj_list) {
166                list_del(&evt->list);
167                kfree(evt);
168        }
169        spin_unlock_irq(&file->async_file->lock);
170}
171
172static void ib_uverbs_detach_umcast(struct ib_qp *qp,
173                                    struct ib_uqp_object *uobj)
174{
175        struct ib_uverbs_mcast_entry *mcast, *tmp;
176
177        list_for_each_entry_safe(mcast, tmp, &uobj->mcast_list, list) {
178                ib_detach_mcast(qp, &mcast->gid, mcast->lid);
179                list_del(&mcast->list);
180                kfree(mcast);
181        }
182}
183
184static int ib_uverbs_cleanup_ucontext(struct ib_uverbs_file *file,
185                                      struct ib_ucontext *context)
186{
187        struct ib_uobject *uobj, *tmp;
188
189        if (!context)
190                return 0;
191
192        context->closing = 1;
193
194        list_for_each_entry_safe(uobj, tmp, &context->ah_list, list) {
195                struct ib_ah *ah = uobj->object;
196
197                idr_remove_uobj(&ib_uverbs_ah_idr, uobj);
198                ib_destroy_ah(ah);
199                kfree(uobj);
200        }
201
202        list_for_each_entry_safe(uobj, tmp, &context->qp_list, list) {
203                struct ib_qp *qp = uobj->object;
204                struct ib_uqp_object *uqp =
205                        container_of(uobj, struct ib_uqp_object, uevent.uobject);
206
207                idr_remove_uobj(&ib_uverbs_qp_idr, uobj);
208                ib_uverbs_detach_umcast(qp, uqp);
209                ib_destroy_qp(qp);
210                ib_uverbs_release_uevent(file, &uqp->uevent);
211                kfree(uqp);
212        }
213
214        list_for_each_entry_safe(uobj, tmp, &context->cq_list, list) {
215                struct ib_cq *cq = uobj->object;
216                struct ib_uverbs_event_file *ev_file = cq->cq_context;
217                struct ib_ucq_object *ucq =
218                        container_of(uobj, struct ib_ucq_object, uobject);
219
220                idr_remove_uobj(&ib_uverbs_cq_idr, uobj);
221                ib_destroy_cq(cq);
222                ib_uverbs_release_ucq(file, ev_file, ucq);
223                kfree(ucq);
224        }
225
226        list_for_each_entry_safe(uobj, tmp, &context->srq_list, list) {
227                struct ib_srq *srq = uobj->object;
228                struct ib_uevent_object *uevent =
229                        container_of(uobj, struct ib_uevent_object, uobject);
230
231                idr_remove_uobj(&ib_uverbs_srq_idr, uobj);
232                ib_destroy_srq(srq);
233                ib_uverbs_release_uevent(file, uevent);
234                kfree(uevent);
235        }
236
237        /* XXX Free MWs */
238
239        list_for_each_entry_safe(uobj, tmp, &context->mr_list, list) {
240                struct ib_mr *mr = uobj->object;
241
242                idr_remove_uobj(&ib_uverbs_mr_idr, uobj);
243                ib_dereg_mr(mr);
244                kfree(uobj);
245        }
246
247        list_for_each_entry_safe(uobj, tmp, &context->pd_list, list) {
248                struct ib_pd *pd = uobj->object;
249
250                idr_remove_uobj(&ib_uverbs_pd_idr, uobj);
251                ib_dealloc_pd(pd);
252                kfree(uobj);
253        }
254
255        return context->device->dealloc_ucontext(context);
256}
257
258static void ib_uverbs_release_file(struct kref *ref)
259{
260        struct ib_uverbs_file *file =
261                container_of(ref, struct ib_uverbs_file, ref);
262
263        module_put(file->device->ib_dev->owner);
264        kref_put(&file->device->ref, ib_uverbs_release_dev);
265
266        kfree(file);
267}
268
269static ssize_t ib_uverbs_event_read(struct file *filp, char __user *buf,
270                                    size_t count, loff_t *pos)
271{
272        struct ib_uverbs_event_file *file = filp->private_data;
273        struct ib_uverbs_event *event;
274        int eventsz;
275        int ret = 0;
276
277        spin_lock_irq(&file->lock);
278
279        while (list_empty(&file->event_list)) {
280                spin_unlock_irq(&file->lock);
281
282                if (filp->f_flags & O_NONBLOCK)
283                        return -EAGAIN;
284
285                if (wait_event_interruptible(file->poll_wait,
286                                             !list_empty(&file->event_list)))
287                        return -ERESTARTSYS;
288
289                spin_lock_irq(&file->lock);
290        }
291
292        event = list_entry(file->event_list.next, struct ib_uverbs_event, list);
293
294        if (file->is_async)
295                eventsz = sizeof (struct ib_uverbs_async_event_desc);
296        else
297                eventsz = sizeof (struct ib_uverbs_comp_event_desc);
298
299        if (eventsz > count) {
300                ret   = -EINVAL;
301                event = NULL;
302        } else {
303                list_del(file->event_list.next);
304                if (event->counter) {
305                        ++(*event->counter);
306                        list_del(&event->obj_list);
307                }
308        }
309
310        spin_unlock_irq(&file->lock);
311
312        if (event) {
313                if (copy_to_user(buf, event, eventsz))
314                        ret = -EFAULT;
315                else
316                        ret = eventsz;
317        }
318
319        kfree(event);
320
321        return ret;
322}
323
324static unsigned int ib_uverbs_event_poll(struct file *filp,
325                                         struct poll_table_struct *wait)
326{
327        unsigned int pollflags = 0;
328        struct ib_uverbs_event_file *file = filp->private_data;
329
330        poll_wait(filp, &file->poll_wait, wait);
331
332        spin_lock_irq(&file->lock);
333        if (!list_empty(&file->event_list))
334                pollflags = POLLIN | POLLRDNORM;
335        spin_unlock_irq(&file->lock);
336
337        return pollflags;
338}
339
340static int ib_uverbs_event_fasync(int fd, struct file *filp, int on)
341{
342        struct ib_uverbs_event_file *file = filp->private_data;
343
344        return fasync_helper(fd, filp, on, &file->async_queue);
345}
346
347static int ib_uverbs_event_close(struct inode *inode, struct file *filp)
348{
349        struct ib_uverbs_event_file *file = filp->private_data;
350        struct ib_uverbs_event *entry, *tmp;
351
352        spin_lock_irq(&file->lock);
353        file->is_closed = 1;
354        list_for_each_entry_safe(entry, tmp, &file->event_list, list) {
355                if (entry->counter)
356                        list_del(&entry->obj_list);
357                kfree(entry);
358        }
359        spin_unlock_irq(&file->lock);
360
361        if (file->is_async) {
362                ib_unregister_event_handler(&file->uverbs_file->event_handler);
363                kref_put(&file->uverbs_file->ref, ib_uverbs_release_file);
364        }
365        kref_put(&file->ref, ib_uverbs_release_event_file);
366
367        return 0;
368}
369
370static const struct file_operations uverbs_event_fops = {
371        .owner         = THIS_MODULE,
372        .read          = ib_uverbs_event_read,
373        .poll    = ib_uverbs_event_poll,
374        .release = ib_uverbs_event_close,
375        .fasync  = ib_uverbs_event_fasync
376};
377
378void ib_uverbs_comp_handler(struct ib_cq *cq, void *cq_context)
379{
380        struct ib_uverbs_event_file    *file = cq_context;
381        struct ib_ucq_object               *uobj;
382        struct ib_uverbs_event               *entry;
383        unsigned long                        flags;
384
385        if (!file)
386                return;
387
388        spin_lock_irqsave(&file->lock, flags);
389        if (file->is_closed) {
390                spin_unlock_irqrestore(&file->lock, flags);
391                return;
392        }
393
394        entry = kmalloc(sizeof *entry, GFP_ATOMIC);
395        if (!entry) {
396                spin_unlock_irqrestore(&file->lock, flags);
397                return;
398        }
399
400        uobj = container_of(cq->uobject, struct ib_ucq_object, uobject);
401
402        entry->desc.comp.cq_handle = cq->uobject->user_handle;
403        entry->counter                   = &uobj->comp_events_reported;
404
405        list_add_tail(&entry->list, &file->event_list);
406        list_add_tail(&entry->obj_list, &uobj->comp_list);
407        spin_unlock_irqrestore(&file->lock, flags);
408
409        wake_up_interruptible(&file->poll_wait);
410        kill_fasync(&file->async_queue, SIGIO, POLL_IN);
411}
412
413static void ib_uverbs_async_handler(struct ib_uverbs_file *file,
414                                    __u64 element, __u64 event,
415                                    struct list_head *obj_list,
416                                    u32 *counter)
417{
418        struct ib_uverbs_event *entry;
419        unsigned long flags;
420
421        spin_lock_irqsave(&file->async_file->lock, flags);
422        if (file->async_file->is_closed) {
423                spin_unlock_irqrestore(&file->async_file->lock, flags);
424                return;
425        }
426
427        entry = kmalloc(sizeof *entry, GFP_ATOMIC);
428        if (!entry) {
429                spin_unlock_irqrestore(&file->async_file->lock, flags);
430                return;
431        }
432
433        entry->desc.async.element    = element;
434        entry->desc.async.event_type = event;
435        entry->counter               = counter;
436
437        list_add_tail(&entry->list, &file->async_file->event_list);
438        if (obj_list)
439                list_add_tail(&entry->obj_list, obj_list);
440        spin_unlock_irqrestore(&file->async_file->lock, flags);
441
442        wake_up_interruptible(&file->async_file->poll_wait);
443        kill_fasync(&file->async_file->async_queue, SIGIO, POLL_IN);
444}
445
446void ib_uverbs_cq_event_handler(struct ib_event *event, void *context_ptr)
447{
448        struct ib_ucq_object *uobj = container_of(event->element.cq->uobject,
449                                                  struct ib_ucq_object, uobject);
450
451        ib_uverbs_async_handler(uobj->uverbs_file, uobj->uobject.user_handle,
452                                event->event, &uobj->async_list,
453                                &uobj->async_events_reported);
454}
455
456void ib_uverbs_qp_event_handler(struct ib_event *event, void *context_ptr)
457{
458        struct ib_uevent_object *uobj;
459
460        uobj = container_of(event->element.qp->uobject,
461                            struct ib_uevent_object, uobject);
462
463        ib_uverbs_async_handler(context_ptr, uobj->uobject.user_handle,
464                                event->event, &uobj->event_list,
465                                &uobj->events_reported);
466}
467
468void ib_uverbs_srq_event_handler(struct ib_event *event, void *context_ptr)
469{
470        struct ib_uevent_object *uobj;
471
472        uobj = container_of(event->element.srq->uobject,
473                            struct ib_uevent_object, uobject);
474
475        ib_uverbs_async_handler(context_ptr, uobj->uobject.user_handle,
476                                event->event, &uobj->event_list,
477                                &uobj->events_reported);
478}
479
480void ib_uverbs_event_handler(struct ib_event_handler *handler,
481                             struct ib_event *event)
482{
483        struct ib_uverbs_file *file =
484                container_of(handler, struct ib_uverbs_file, event_handler);
485
486        ib_uverbs_async_handler(file, event->element.port_num, event->event,
487                                NULL, NULL);
488}
489
490struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file,
491                                        int is_async, int *fd)
492{
493        struct ib_uverbs_event_file *ev_file;
494        struct file *filp;
495        int ret;
496
497        ev_file = kmalloc(sizeof *ev_file, GFP_KERNEL);
498        if (!ev_file)
499                return ERR_PTR(-ENOMEM);
500
501        kref_init(&ev_file->ref);
502        spin_lock_init(&ev_file->lock);
503        INIT_LIST_HEAD(&ev_file->event_list);
504        init_waitqueue_head(&ev_file->poll_wait);
505        ev_file->uverbs_file = uverbs_file;
506        ev_file->async_queue = NULL;
507        ev_file->is_async    = is_async;
508        ev_file->is_closed   = 0;
509
510        *fd = get_unused_fd();
511        if (*fd < 0) {
512                ret = *fd;
513                goto err;
514        }
515
516        /*
517         * fops_get() can't fail here, because we're coming from a
518         * system call on a uverbs file, which will already have a
519         * module reference.
520         */
521        filp = alloc_file(uverbs_event_mnt, dget(uverbs_event_mnt->mnt_root),
522                          FMODE_READ, fops_get(&uverbs_event_fops));
523        if (!filp) {
524                ret = -ENFILE;
525                goto err_fd;
526        }
527
528        filp->private_data = ev_file;
529
530        return filp;
531
532err_fd:
533        put_unused_fd(*fd);
534
535err:
536        kfree(ev_file);
537        return ERR_PTR(ret);
538}
539
540/*
541 * Look up a completion event file by FD.  If lookup is successful,
542 * takes a ref to the event file struct that it returns; if
543 * unsuccessful, returns NULL.
544 */
545struct ib_uverbs_event_file *ib_uverbs_lookup_comp_file(int fd)
546{
547        struct ib_uverbs_event_file *ev_file = NULL;
548        struct file *filp;
549
550        filp = fget(fd);
551        if (!filp)
552                return NULL;
553
554        if (filp->f_op != &uverbs_event_fops)
555                goto out;
556
557        ev_file = filp->private_data;
558        if (ev_file->is_async) {
559                ev_file = NULL;
560                goto out;
561        }
562
563        kref_get(&ev_file->ref);
564
565out:
566        fput(filp);
567        return ev_file;
568}
569
570static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
571                             size_t count, loff_t *pos)
572{
573        struct ib_uverbs_file *file = filp->private_data;
574        struct ib_uverbs_cmd_hdr hdr;
575
576        if (count < sizeof hdr)
577                return -EINVAL;
578
579        if (copy_from_user(&hdr, buf, sizeof hdr))
580                return -EFAULT;
581
582        if (hdr.in_words * 4 != count)
583                return -EINVAL;
584
585        if (hdr.command < 0                                ||
586            hdr.command >= ARRAY_SIZE(uverbs_cmd_table) ||
587            !uverbs_cmd_table[hdr.command]                ||
588            !(file->device->ib_dev->uverbs_cmd_mask & (1ull << hdr.command)))
589                return -EINVAL;
590
591        if (!file->ucontext &&
592            hdr.command != IB_USER_VERBS_CMD_GET_CONTEXT)
593                return -EINVAL;
594
595        return uverbs_cmd_table[hdr.command](file, buf + sizeof hdr,
596                                             hdr.in_words * 4, hdr.out_words * 4);
597}
598
599static int ib_uverbs_mmap(struct file *filp, struct vm_area_struct *vma)
600{
601        struct ib_uverbs_file *file = filp->private_data;
602
603        if (!file->ucontext)
604                return -ENODEV;
605        else
606                return file->device->ib_dev->mmap(file->ucontext, vma);
607}
608
609/*
610 * ib_uverbs_open() does not need the BKL:
611 *
612 *  - dev_table[] accesses are protected by map_lock, the
613 *    ib_uverbs_device structures are properly reference counted, and
614 *    everything else is purely local to the file being created, so
615 *    races against other open calls are not a problem;
616 *  - there is no ioctl method to race against;
617 *  - the device is added to dev_table[] as the last part of module
618 *    initialization, the open method will either immediately run
619 *    -ENXIO, or all required initialization will be done.
620 */
621static int ib_uverbs_open(struct inode *inode, struct file *filp)
622{
623        struct ib_uverbs_device *dev;
624        struct ib_uverbs_file *file;
625        int ret;
626
627        spin_lock(&map_lock);
628        dev = dev_table[iminor(inode) - IB_UVERBS_BASE_MINOR];
629        if (dev)
630                kref_get(&dev->ref);
631        spin_unlock(&map_lock);
632
633        if (!dev)
634                return -ENXIO;
635
636        if (!try_module_get(dev->ib_dev->owner)) {
637                ret = -ENODEV;
638                goto err;
639        }
640
641        file = kmalloc(sizeof *file, GFP_KERNEL);
642        if (!file) {
643                ret = -ENOMEM;
644                goto err_module;
645        }
646
647        file->device         = dev;
648        file->ucontext         = NULL;
649        file->async_file = NULL;
650        kref_init(&file->ref);
651        mutex_init(&file->mutex);
652
653        filp->private_data = file;
654
655        return 0;
656
657err_module:
658        module_put(dev->ib_dev->owner);
659
660err:
661        kref_put(&dev->ref, ib_uverbs_release_dev);
662        return ret;
663}
664
665static int ib_uverbs_close(struct inode *inode, struct file *filp)
666{
667        struct ib_uverbs_file *file = filp->private_data;
668
669        ib_uverbs_cleanup_ucontext(file, file->ucontext);
670
671        if (file->async_file)
672                kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
673
674        kref_put(&file->ref, ib_uverbs_release_file);
675
676        return 0;
677}
678
679static const struct file_operations uverbs_fops = {
680        .owner          = THIS_MODULE,
681        .write          = ib_uverbs_write,
682        .open          = ib_uverbs_open,
683        .release = ib_uverbs_close
684};
685
686static const struct file_operations uverbs_mmap_fops = {
687        .owner          = THIS_MODULE,
688        .write          = ib_uverbs_write,
689        .mmap    = ib_uverbs_mmap,
690        .open          = ib_uverbs_open,
691        .release = ib_uverbs_close
692};
693
694static struct ib_client uverbs_client = {
695        .name   = "uverbs",
696        .add    = ib_uverbs_add_one,
697        .remove = ib_uverbs_remove_one
698};
699
700static ssize_t show_ibdev(struct device *device, struct device_attribute *attr,
701                          char *buf)
702{
703        struct ib_uverbs_device *dev = dev_get_drvdata(device);
704
705        if (!dev)
706                return -ENODEV;
707
708        return sprintf(buf, "%s\n", dev->ib_dev->name);
709}
710static DEVICE_ATTR(ibdev, S_IRUGO, show_ibdev, NULL);
711
712static ssize_t show_dev_abi_version(struct device *device,
713                                    struct device_attribute *attr, char *buf)
714{
715        struct ib_uverbs_device *dev = dev_get_drvdata(device);
716
717        if (!dev)
718                return -ENODEV;
719
720        return sprintf(buf, "%d\n", dev->ib_dev->uverbs_abi_ver);
721}
722static DEVICE_ATTR(abi_version, S_IRUGO, show_dev_abi_version, NULL);
723
724static ssize_t show_abi_version(struct class *class, char *buf)
725{
726        return sprintf(buf, "%d\n", IB_USER_VERBS_ABI_VERSION);
727}
728static CLASS_ATTR(abi_version, S_IRUGO, show_abi_version, NULL);
729
730static void ib_uverbs_add_one(struct ib_device *device)
731{
732        struct ib_uverbs_device *uverbs_dev;
733
734        if (!device->alloc_ucontext)
735                return;
736
737        uverbs_dev = kzalloc(sizeof *uverbs_dev, GFP_KERNEL);
738        if (!uverbs_dev)
739                return;
740
741        kref_init(&uverbs_dev->ref);
742        init_completion(&uverbs_dev->comp);
743
744        spin_lock(&map_lock);
745        uverbs_dev->devnum = find_first_zero_bit(dev_map, IB_UVERBS_MAX_DEVICES);
746        if (uverbs_dev->devnum >= IB_UVERBS_MAX_DEVICES) {
747                spin_unlock(&map_lock);
748                goto err;
749        }
750        set_bit(uverbs_dev->devnum, dev_map);
751        spin_unlock(&map_lock);
752
753        uverbs_dev->ib_dev           = device;
754        uverbs_dev->num_comp_vectors = device->num_comp_vectors;
755
756        uverbs_dev->cdev = cdev_alloc();
757        if (!uverbs_dev->cdev)
758                goto err;
759        uverbs_dev->cdev->owner = THIS_MODULE;
760        uverbs_dev->cdev->ops = device->mmap ? &uverbs_mmap_fops : &uverbs_fops;
761        kobject_set_name(&uverbs_dev->cdev->kobj, "uverbs%d", uverbs_dev->devnum);
762        if (cdev_add(uverbs_dev->cdev, IB_UVERBS_BASE_DEV + uverbs_dev->devnum, 1))
763                goto err_cdev;
764
765        uverbs_dev->dev = device_create(uverbs_class, device->dma_device,
766                                        uverbs_dev->cdev->dev, uverbs_dev,
767                                        "uverbs%d", uverbs_dev->devnum);
768        if (IS_ERR(uverbs_dev->dev))
769                goto err_cdev;
770
771        if (device_create_file(uverbs_dev->dev, &dev_attr_ibdev))
772                goto err_class;
773        if (device_create_file(uverbs_dev->dev, &dev_attr_abi_version))
774                goto err_class;
775
776        spin_lock(&map_lock);
777        dev_table[uverbs_dev->devnum] = uverbs_dev;
778        spin_unlock(&map_lock);
779
780        ib_set_client_data(device, &uverbs_client, uverbs_dev);
781
782        return;
783
784err_class:
785        device_destroy(uverbs_class, uverbs_dev->cdev->dev);
786
787err_cdev:
788        cdev_del(uverbs_dev->cdev);
789        clear_bit(uverbs_dev->devnum, dev_map);
790
791err:
792        kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
793        wait_for_completion(&uverbs_dev->comp);
794        kfree(uverbs_dev);
795        return;
796}
797
798static void ib_uverbs_remove_one(struct ib_device *device)
799{
800        struct ib_uverbs_device *uverbs_dev = ib_get_client_data(device, &uverbs_client);
801
802        if (!uverbs_dev)
803                return;
804
805        dev_set_drvdata(uverbs_dev->dev, NULL);
806        device_destroy(uverbs_class, uverbs_dev->cdev->dev);
807        cdev_del(uverbs_dev->cdev);
808
809        spin_lock(&map_lock);
810        dev_table[uverbs_dev->devnum] = NULL;
811        spin_unlock(&map_lock);
812
813        clear_bit(uverbs_dev->devnum, dev_map);
814
815        kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
816        wait_for_completion(&uverbs_dev->comp);
817        kfree(uverbs_dev);
818}
819
820static int uverbs_event_get_sb(struct file_system_type *fs_type, int flags,
821                               const char *dev_name, void *data,
822                               struct vfsmount *mnt)
823{
824        return get_sb_pseudo(fs_type, "infinibandevent:", NULL,
825                             INFINIBANDEVENTFS_MAGIC, mnt);
826}
827
828static struct file_system_type uverbs_event_fs = {
829        /* No owner field so module can be unloaded */
830        .name    = "infinibandeventfs",
831        .get_sb  = uverbs_event_get_sb,
832        .kill_sb = kill_litter_super
833};
834
835static int __init ib_uverbs_init(void)
836{
837        int ret;
838
839        spin_lock_init(&map_lock);
840
841        ret = register_chrdev_region(IB_UVERBS_BASE_DEV, IB_UVERBS_MAX_DEVICES,
842                                     "infiniband_verbs");
843        if (ret) {
844                printk(KERN_ERR "user_verbs: couldn't register device number\n");
845                goto out;
846        }
847
848        uverbs_class = class_create(THIS_MODULE, "infiniband_verbs");
849        if (IS_ERR(uverbs_class)) {
850                ret = PTR_ERR(uverbs_class);
851                printk(KERN_ERR "user_verbs: couldn't create class infiniband_verbs\n");
852                goto out_chrdev;
853        }
854
855        ret = class_create_file(uverbs_class, &class_attr_abi_version);
856        if (ret) {
857                printk(KERN_ERR "user_verbs: couldn't create abi_version attribute\n");
858                goto out_class;
859        }
860
861        ret = register_filesystem(&uverbs_event_fs);
862        if (ret) {
863                printk(KERN_ERR "user_verbs: couldn't register infinibandeventfs\n");
864                goto out_class;
865        }
866
867        uverbs_event_mnt = kern_mount(&uverbs_event_fs);
868        if (IS_ERR(uverbs_event_mnt)) {
869                ret = PTR_ERR(uverbs_event_mnt);
870                printk(KERN_ERR "user_verbs: couldn't mount infinibandeventfs\n");
871                goto out_fs;
872        }
873
874        ret = ib_register_client(&uverbs_client);
875        if (ret) {
876                printk(KERN_ERR "user_verbs: couldn't register client\n");
877                goto out_mnt;
878        }
879
880        return 0;
881
882out_mnt:
883        mntput(uverbs_event_mnt);
884
885out_fs:
886        unregister_filesystem(&uverbs_event_fs);
887
888out_class:
889        class_destroy(uverbs_class);
890
891out_chrdev:
892        unregister_chrdev_region(IB_UVERBS_BASE_DEV, IB_UVERBS_MAX_DEVICES);
893
894out:
895        return ret;
896}
897
898static void __exit ib_uverbs_cleanup(void)
899{
900        ib_unregister_client(&uverbs_client);
901        mntput(uverbs_event_mnt);
902        unregister_filesystem(&uverbs_event_fs);
903        class_destroy(uverbs_class);
904        unregister_chrdev_region(IB_UVERBS_BASE_DEV, IB_UVERBS_MAX_DEVICES);
905        idr_destroy(&ib_uverbs_pd_idr);
906        idr_destroy(&ib_uverbs_mr_idr);
907        idr_destroy(&ib_uverbs_mw_idr);
908        idr_destroy(&ib_uverbs_ah_idr);
909        idr_destroy(&ib_uverbs_cq_idr);
910        idr_destroy(&ib_uverbs_qp_idr);
911        idr_destroy(&ib_uverbs_srq_idr);
912}
913
914module_init(ib_uverbs_init);
915module_exit(ib_uverbs_cleanup);