[BUG] bnx2x: bnx2x_set_pbd_csum() random accesses

[BUG] bnx2x: bnx2x_set_pbd_csum() random accesses

[Eric Dumazet]

Hi guys

bnx2x_set_pbd_csum() / bnx2x_set_pbd_csum_e2() seem to read
tcp_hdrlen(skb) even for non TCP frames ?

Also, (skb_network_header(skb) - skb->data) is signed, so 
	(skb_network_header(skb) - skb->data) / 2 is a bit expensive...

Thanks

[PATCH] bnx2x: dont dereference tcp header on non tcp frames

[Eric Dumazet]

Le mardi 19 avril 2011 à 18:11 +0200, Eric Dumazet a écrit :
> Hi guys
> 
> bnx2x_set_pbd_csum() / bnx2x_set_pbd_csum_e2() seem to read
> tcp_hdrlen(skb) even for non TCP frames ?
> 
> Also, (skb_network_header(skb) - skb->data) is signed, so 
> 	(skb_network_header(skb) - skb->data) / 2 is a bit expensive...
> 

I managed to trigger a kmemcheck fault using netperf -t UDP_RR

02:00.1 Ethernet controller: Broadcom Corporation NetXtreme II BCM57711E 10Gigabit PCIe

[  341.246514] WARNING: kmemcheck: Caught 8-bit read from uninitialized memory (ffff88011800ec30)
[  341.247155] c0a8146ea907c4550009aa456ed2000008000400040000001400030000000000
[  341.249789]  i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
[  341.252425]                                  ^
[  341.252773] 
[  341.252937] Pid: 4122, comm: netperf Not tainted 2.6.39-rc4-00237-ge3de956-dirty #549 HP ProLiant BL460c G6
[  341.253768] RIP: 0010:[<ffffffff812f5224>]  [<ffffffff812f5224>] bnx2x_start_xmit+0xce4/0x13f0
[  341.254476] RSP: 0018:ffff8801158b38b8  EFLAGS: 00010286
[  341.254879] RAX: ffff88011800ec24 RBX: ffff880118e44820 RCX: 0000000000000007
[  341.255400] RDX: 000000000000000a RSI: ffff880118e44820 RDI: ffff88011800ec40
[  341.255918] RBP: ffff8801158b39b8 R08: ffff88011800ec40 R09: ffff88011800ec00
[  341.256439] R10: 0000000000000000 R11: 000000006e14a8c0 R12: ffff880118f4db00
[  341.256958] R13: 0000000000000481 R14: 0000000000000040 R15: ffff880118ff18e0
[  341.257479] FS:  0000000000000000(0000) GS:ffff88011fc00000(0063) knlGS:00000000f77e16c0
[  341.258081] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[  341.258511] CR2: ffff880119856058 CR3: 0000000115879000 CR4: 00000000000006f0
[  341.259033] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  341.259551] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[  341.260072]  [<ffffffff8137fac5>] dev_hard_start_xmit+0x365/0x690
[  341.260593]  [<ffffffff81398bf7>] sch_direct_xmit+0xb7/0x1c0
[  341.261091]  [<ffffffff81383da8>] dev_queue_xmit+0x1a8/0x5d0
[  341.261583]  [<ffffffff813c2842>] ip_finish_output+0x122/0x2f0
[  341.262122]  [<ffffffff813c163e>] ip_output+0x7e/0xc0
[  341.262609]  [<ffffffff813c1194>] ip_local_out+0x24/0x30
[  341.263114]  [<ffffffff813c11b6>] ip_send_skb+0x16/0x70
[  341.263611]  [<ffffffff813e1326>] udp_send_skb+0x126/0x380
[  341.264129]  [<ffffffff813e300c>] udp_sendmsg+0x2cc/0x790
[  341.264637]  [<ffffffff813eaf44>] inet_sendmsg+0x84/0xc0
[  341.265143]  [<ffffffff8136d98b>] sock_sendmsg+0xbb/0xf0
[  341.265646]  [<ffffffff8136e1e5>] sys_sendto+0x105/0x140
[  341.266151]  [<ffffffff8136e22f>] sys_send+0xf/0x20
[  341.266625]  [<ffffffff813969fd>] compat_sys_socketcall+0xfd/0x1f0
[  341.267186]  [<ffffffff8146b8e9>] sysenter_dispatch+0x7/0x27

[PATCH] bnx2x: dont dereference tcp header on non tcp frames

bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
tcp_hdrlen(skb) even for non TCP frames

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dmitry Kravkov <dmitry@broadcom.com>
Cc: Eilon Greenstein <eilong@broadcom.com>
---
 drivers/net/bnx2x/bnx2x_cmn.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bnx2x/bnx2x_cmn.c b/drivers/net/bnx2x/bnx2x_cmn.c
index e83ac6d..a16a638 100644
--- a/drivers/net/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/bnx2x/bnx2x_cmn.c
@@ -2019,7 +2019,9 @@ static inline void bnx2x_set_pbd_gso(struct sk_buff *skb,
 static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 	u32 *parsing_data, u32 xmit_type)
 {
-	*parsing_data |= ((tcp_hdrlen(skb)/4) <<
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
+
+	*parsing_data |= ((tcphlen/4) <<
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW;
 
@@ -2027,7 +2029,7 @@ static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W;
 
-	return skb_transport_header(skb) + tcp_hdrlen(skb) - skb->data;
+	return skb_transport_header(skb) + tcphlen - skb->data;
 }
 
 /**
@@ -2044,6 +2046,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	u32 xmit_type)
 {
 	u8 hlen = (skb_network_header(skb) - skb->data) / 2;
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
 
 	/* for now NS flag is not used in Linux */
 	pbd->global_data =
@@ -2053,7 +2056,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	pbd->ip_hlen_w = (skb_transport_header(skb) -
 			skb_network_header(skb)) / 2;
 
-	hlen += pbd->ip_hlen_w + tcp_hdrlen(skb) / 2;
+	hlen += pbd->ip_hlen_w + tcphlen / 2;
 
 	pbd->total_hlen_w = cpu_to_le16(hlen);
 	hlen = hlen*2;

Re: [PATCH] bnx2x: dont dereference tcp header on non tcp frames

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 20 Apr 2011 09:31:53 +0200

> [PATCH] bnx2x: dont dereference tcp header on non tcp frames
> 
> bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
> tcp_hdrlen(skb) even for non TCP frames
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Broadcom folks please review.

Re: [PATCH] bnx2x: dont dereference tcp header on non tcp frames

[Dmitry Kravkov]

On Wed, 2011-04-20 at 01:46 -0700, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Wed, 20 Apr 2011 09:31:53 +0200
> 
> > [PATCH] bnx2x: dont dereference tcp header on non tcp frames
> > 
> > bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
> > tcp_hdrlen(skb) even for non TCP frames
> > 
> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> 
> Broadcom folks please review.
> 

Following patch fixes udp checksum offload flow and also addresses
issues raised by Eric. We are testing it now.

From: Vladislav Zolotarov <vladz@broadcom.com>

Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
---
 drivers/net/bnx2x/bnx2x_cmn.c |   34 ++++++++++++++++++++++++----------
 1 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/drivers/net/bnx2x/bnx2x_cmn.c b/drivers/net/bnx2x/bnx2x_cmn.c
index e83ac6d..16581df 100644
--- a/drivers/net/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/bnx2x/bnx2x_cmn.c
@@ -2019,15 +2019,23 @@ static inline void bnx2x_set_pbd_gso(struct sk_buff *skb,
 static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 	u32 *parsing_data, u32 xmit_type)
 {
-	*parsing_data |= ((tcp_hdrlen(skb)/4) <<
-		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW_SHIFT) &
-		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW;
+	*parsing_data |=
+			((((u8 *)skb_transport_header(skb) - skb->data) >> 1) <<
+			ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W_SHIFT) &
+			ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W;
 
-	*parsing_data |= ((((u8 *)tcp_hdr(skb) - skb->data) / 2) <<
-		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W_SHIFT) &
-		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W;
+	if (xmit_type & XMIT_CSUM_TCP) {
+		*parsing_data |= ((tcp_hdrlen(skb) / 4) <<
+			ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW_SHIFT) &
+			ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW;
 
-	return skb_transport_header(skb) + tcp_hdrlen(skb) - skb->data;
+		return skb_transport_header(skb) + tcp_hdrlen(skb) - skb->data;
+	} else
+		/* We support checksum offload for TCP and UDP only.
+		 * No need to pass the UDP header length - it's a constant.
+		 */
+		return skb_transport_header(skb) +
+				sizeof(struct udphdr) - skb->data;
 }
 
 /**
@@ -2043,7 +2051,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	struct eth_tx_parse_bd_e1x *pbd,
 	u32 xmit_type)
 {
-	u8 hlen = (skb_network_header(skb) - skb->data) / 2;
+	u8 hlen = (skb_network_header(skb) - skb->data) >> 1;
 
 	/* for now NS flag is not used in Linux */
 	pbd->global_data =
@@ -2051,9 +2059,15 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 			 ETH_TX_PARSE_BD_E1X_LLC_SNAP_EN_SHIFT));
 
 	pbd->ip_hlen_w = (skb_transport_header(skb) -
-			skb_network_header(skb)) / 2;
+			skb_network_header(skb)) >> 1;
 
-	hlen += pbd->ip_hlen_w + tcp_hdrlen(skb) / 2;
+	hlen += pbd->ip_hlen_w;
+
+	/* We support checksum offload for TCP and UDP only */
+	if (xmit_type & XMIT_CSUM_TCP)
+		hlen += tcp_hdrlen(skb) / 2;
+	else
+		hlen += sizeof(struct udphdr) / 2;
 
 	pbd->total_hlen_w = cpu_to_le16(hlen);
 	hlen = hlen*2;
-- 
1.7.2.2

Re: [PATCH] bnx2x: dont dereference tcp header on non tcp frames

[Dmitry Kravkov]

On Wed, 2011-04-20 at 02:40 -0700, Dmitry Kravkov wrote:

> Following patch fixes udp checksum offload flow and also addresses
> issues raised by Eric. We are testing it now.

It passed local regression, i was also unable to reproduce kmemcheck
warning.

I hit this one (on net-2.6 from today) not sure if it's related:


INFO: rcu_sched_state detected stall on CPU 0 (t=60000 jiffies)
sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU 0 
Modules linked in: bnx2x nfs fscache nfsd nfs_acl auth_rpcgss autofs4
bluetooth rfkill lockd sunrpc ipv6 loop dm_mirror dm_multipath scsi_dh
video sbs sbshc power_meter battery acpi_memhotplug ac parport_pc lp
parport ide_cd_mod cdrom serio_raw option usb_wwan usbserial button b
nx2 tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler hpilo mdio rtc_cmos
pcspkr rtc_core i5k_amb hwmon i5000_edac edac_core rtc_lib
dm_region_hash dm_log dm_mod ata_piix libata shpchp cciss sd_mod
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd [last unloaded: bnx2x]

Pid: 3441, comm: kworker/0:3 Not tainted 2.6.39-rc2test+ #2 HP ProLiant
DL380 G5
RIP: 0010:[<ffffffff811cbf65>]  [<ffffffff811cbf65>] delay_tsc+0x15/0x60
RSP: 0018:ffff88023fc03e78  EFLAGS: 00000803
RAX: 00000000ddf79987 RBX: 0000000000000001 RCX: ffffffff817894e0
RDX: 00000000000001aa RSI: 00000000000000ff RDI: 00000000002dc788
RBP: ffff88023fc03e78 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000000000a R12: ffff88023fc0e5e0
R13: ffff88023497cf60 R14: ffffffff81729900 R15: ffffffff81729a00
FS:  0000000000000000(0000) GS:ffff88023fc00000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f24456760a0 CR3: 0000000001713000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Process kworker/0:3 (pid: 3441, threadinfo ffff88021fe74000, task
ffff88023497cf60)
Stack:
 ffff88023fc03e88 ffffffff811cbf1a ffff88023fc03e98 ffffffff811cbf47
 ffff88023fc03eb8 ffffffff8101d155 0000000000000000 ffffffff81729900
 ffff88023fc03ef8 ffffffff81092b9c 000000004daf0bb9 0000000000000000
Call Trace:
 <IRQ> 
 [<ffffffff811cbf1a>] __delay+0xa/0x10
 [<ffffffff811cbf47>] __const_udelay+0x27/0x30
 [<ffffffff8101d155>] arch_trigger_all_cpu_backtrace+0x75/0xb0
 [<ffffffff81092b9c>] __rcu_pending+0x9c/0x370
 [<ffffffff81092efd>] rcu_check_callbacks+0x8d/0xd0
 [<ffffffff810530c1>] update_process_times+0x41/0x80
 [<ffffffff81070c07>] tick_periodic+0x27/0x70
 [<ffffffff81070c71>] tick_handle_periodic+0x21/0x80
 [<ffffffff8101cbd6>] smp_apic_timer_interrupt+0x66/0xa0
 [<ffffffff813c1993>] apic_timer_interrupt+0x13/0x20
 <EOI> 
 [<ffffffff811b1964>] ? blk_delay_work+0x34/0x40
 [<ffffffff8105d449>] process_one_work+0xf9/0x390
 [<ffffffff811b1930>] ? submit_bio+0xd0/0xd0
 [<ffffffff8105fa45>] worker_thread+0xe5/0x270
 [<ffffffff8105f960>] ? gcwq_mayday_timeout+0x80/0x80
 [<ffffffff810638e6>] kthread+0x96/0xa0
 [<ffffffff813c20d4>] kernel_thread_helper+0x4/0x10
 [<ffffffff81063850>] ? kthread_stop+0xd0/0xd0
 [<ffffffff813c20d0>] ? gs_change+0xb/0xb
Code: 89 e5 f7 e2 48 8d 7a 01 e8 c9 ff ff ff c9 c3 0f 1f 80 00 00 00 00
55 65 44 8b 0c 25 68 c5 00 00 48 89 e5 66 66 90 0f ae e8 0f 31 
 89 c0 44 89 ce eb 11 0f 1f 00 f3 90 65 8b 0c 25 68 c5 00 00 
Call Trace:
 <IRQ>  [<ffffffff811cbf1a>] __delay+0xa/0x10
 [<ffffffff811cbf47>] __const_udelay+0x27/0x30
 [<ffffffff8101d155>] arch_trigger_all_cpu_backtrace+0x75/0xb0
 [<ffffffff81092b9c>] __rcu_pending+0x9c/0x370
 [<ffffffff81092efd>] rcu_check_callbacks+0x8d/0xd0
 [<ffffffff810530c1>] update_process_times+0x41/0x80
 [<ffffffff81070c07>] tick_periodic+0x27/0x70
 [<ffffffff81070c71>] tick_handle_periodic+0x21/0x80
 [<ffffffff8101cbd6>] smp_apic_timer_interrupt+0x66/0xa0
 [<ffffffff813c1993>] apic_timer_interrupt+0x13/0x20
 <EOI>  [<ffffffff811b1964>] ? blk_delay_work+0x34/0x40
 [<ffffffff8105d449>] process_one_work+0xf9/0x390
 [<ffffffff811b1930>] ? submit_bio+0xd0/0xd0
 [<ffffffff8105fa45>] worker_thread+0xe5/0x270
 [<ffffffff8105f960>] ? gcwq_mayday_timeout+0x80/0x80
 [<ffffffff810638e6>] kthread+0x96/0xa0
 [<ffffffff813c20d4>] kernel_thread_helper+0x4/0x10
 [<ffffffff81063850>] ? kthread_stop+0xd0/0xd0
 [<ffffffff813c20d0>] ? gs_change+0xb/0xb

Re: [PATCH] bnx2x: dont dereference tcp header on non tcp frames

[David Miller]

From: "Dmitry Kravkov" <dmitry@broadcom.com>
Date: Wed, 20 Apr 2011 12:40:10 +0300

> On Wed, 2011-04-20 at 01:46 -0700, David Miller wrote:
>> From: Eric Dumazet <eric.dumazet@gmail.com>
>> Date: Wed, 20 Apr 2011 09:31:53 +0200
>> 
>> > [PATCH] bnx2x: dont dereference tcp header on non tcp frames
>> > 
>> > bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
>> > tcp_hdrlen(skb) even for non TCP frames
>> > 
>> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>> 
>> Broadcom folks please review.
>> 
> 
> Following patch fixes udp checksum offload flow and also addresses
> issues raised by Eric. We are testing it now.
> 
> From: Vladislav Zolotarov <vladz@broadcom.com>
> 
> Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
> Signed-off-by: Eilon Greenstein <eilong@broadcom.com>

Can you guys please wrap this up and formally submit this patch?

Please remember to add appropriate tags for Eric, probably both
"Reported-by: " and "Tested-by: ".

Thank you!