* [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions
@ 2017-05-02 19:29 Dan Carpenter
2017-05-02 20:38 ` Duyck, Alexander H
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2017-05-02 19:29 UTC (permalink / raw)
To: intel-wired-lan
Hello John Fastabend,
The patch 924708081629: "ixgbe: add XDP support for pass and drop
actions" from Apr 24, 2017, leads to the following static checker
warning:
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:2365 ixgbe_clean_rx_irq()
error: 'skb' dereferencing possible ERR_PTR()
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
2326
2327 if (IS_ERR(skb)) {
^^^^^^^^^^
Assume that this is true.
2328 if (PTR_ERR(skb) == -IXGBE_XDP_TX) {
2329 xdp_xmit = true;
2330 ixgbe_rx_buffer_flip(rx_ring, rx_buffer, size);
2331 } else {
2332 rx_buffer->pagecnt_bias++;
2333 }
2334 total_rx_packets++;
2335 total_rx_bytes += size;
2336 } else if (skb) {
2337 ixgbe_add_rx_frag(rx_ring, rx_buffer, skb, size);
2338 } else if (ring_uses_build_skb(rx_ring)) {
2339 skb = ixgbe_build_skb(rx_ring, rx_buffer,
2340 &xdp, rx_desc);
2341 } else {
2342 skb = ixgbe_construct_skb(rx_ring, rx_buffer,
2343 &xdp, rx_desc);
2344 }
2345
2346 /* exit if we failed to retrieve a buffer */
2347 if (!skb) {
2348 rx_ring->rx_stats.alloc_rx_buff_failed++;
2349 rx_buffer->pagecnt_bias++;
2350 break;
2351 }
2352
2353 ixgbe_put_rx_buffer(rx_ring, rx_buffer, skb);
2354 cleaned_count++;
2355
2356 /* place incomplete frames back on ring for completion */
2357 if (ixgbe_is_non_eop(rx_ring, rx_desc, skb))
2358 continue;
2359
2360 /* verify the packet layout is correct */
2361 if (ixgbe_cleanup_headers(rx_ring, rx_desc, skb))
2362 continue;
2363
2364 /* probably a little skewed due to removing CRC */
2365 total_rx_bytes += skb->len;
^^^^^^^^
Then this is a potential Oops. Possibly some of the earlier uses are
wrong. Or possibly we always hit a continue? It's either buggy or
there should probably be a comment explaining what's going on...
2366
2367 /* populate checksum, timestamp, VLAN, and protocol */
2368 ixgbe_process_skb_fields(rx_ring, rx_desc, skb);
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions
2017-05-02 19:29 [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions Dan Carpenter
@ 2017-05-02 20:38 ` Duyck, Alexander H
2017-05-02 22:39 ` Dan Carpenter
0 siblings, 1 reply; 5+ messages in thread
From: Duyck, Alexander H @ 2017-05-02 20:38 UTC (permalink / raw)
To: intel-wired-lan
On Tue, 2017-05-02 at 22:29 +0300, Dan Carpenter wrote:
> Hello John Fastabend,
>
> The patch 924708081629: "ixgbe: add XDP support for pass and drop
> actions" from Apr 24, 2017, leads to the following static checker
> warning:
>
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:2365 ixgbe_clean_rx_irq()
> error: 'skb' dereferencing possible ERR_PTR()
>
> drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> 2326
> 2327 if (IS_ERR(skb)) {
> ^^^^^^^^^^
> Assume that this is true.
If this is true then ixgbe_cleanup_headers will also be true since
there is nothing that alters skb after the else statements in the check
below.
>
> 2328 if (PTR_ERR(skb) == -IXGBE_XDP_TX) {
> 2329 xdp_xmit = true;
> 2330 ixgbe_rx_buffer_flip(rx_ring, rx_buffer, size);
> 2331 } else {
> 2332 rx_buffer->pagecnt_bias++;
> 2333 }
> 2334 total_rx_packets++;
> 2335 total_rx_bytes += size;
> 2336 } else if (skb) {
> 2337 ixgbe_add_rx_frag(rx_ring, rx_buffer, skb, size);
> 2338 } else if (ring_uses_build_skb(rx_ring)) {
> 2339 skb = ixgbe_build_skb(rx_ring, rx_buffer,
> 2340 &xdp, rx_desc);
> 2341 } else {
> 2342 skb = ixgbe_construct_skb(rx_ring, rx_buffer,
> 2343 &xdp, rx_desc);
> 2344 }
> 2345
> 2346 /* exit if we failed to retrieve a buffer */
> 2347 if (!skb) {
> 2348 rx_ring->rx_stats.alloc_rx_buff_failed++;
> 2349 rx_buffer->pagecnt_bias++;
> 2350 break;
> 2351 }
> 2352
> 2353 ixgbe_put_rx_buffer(rx_ring, rx_buffer, skb);
> 2354 cleaned_count++;
> 2355
> 2356 /* place incomplete frames back on ring for completion */
> 2357 if (ixgbe_is_non_eop(rx_ring, rx_desc, skb))
> 2358 continue;
> 2359
> 2360 /* verify the packet layout is correct */
> 2361 if (ixgbe_cleanup_headers(rx_ring, rx_desc, skb))
> 2362 continue;
> 2363
> 2364 /* probably a little skewed due to removing CRC */
> 2365 total_rx_bytes += skb->len;
> ^^^^^^^^
> Then this is a potential Oops. Possibly some of the earlier uses are
> wrong. Or possibly we always hit a continue? It's either buggy or
> there should probably be a comment explaining what's going on...
This is after ixgbe_cleanup_headers. Take a look in the code there. If
the value IS_ERR(skb) evaluates to true then the function returns true
so you won't execute the code.
>
> 2366
> 2367 /* populate checksum, timestamp, VLAN, and protocol */
> 2368 ixgbe_process_skb_fields(rx_ring, rx_desc, skb);
>
> regards,
> dan carpenter
> _______________________________________________
> Intel-wired-lan mailing list
> Intel-wired-lan at lists.osuosl.org
> http://lists.osuosl.org/mailman/listinfo/intel-wired-lan
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions
2017-05-02 20:38 ` Duyck, Alexander H
@ 2017-05-02 22:39 ` Dan Carpenter
2017-05-02 22:44 ` Alexander Duyck
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2017-05-02 22:39 UTC (permalink / raw)
To: intel-wired-lan
On Tue, May 02, 2017 at 08:38:19PM +0000, Duyck, Alexander H wrote:
> On Tue, 2017-05-02 at 22:29 +0300, Dan Carpenter wrote:
> > Hello John Fastabend,
> >
> > The patch 924708081629: "ixgbe: add XDP support for pass and drop
> > actions" from Apr 24, 2017, leads to the following static checker
> > warning:
> >
> > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:2365 ixgbe_clean_rx_irq()
> > error: 'skb' dereferencing possible ERR_PTR()
> >
> > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
> > 2326
> > 2327 if (IS_ERR(skb)) {
> > ^^^^^^^^^^
> > Assume that this is true.
>
> If this is true then ixgbe_cleanup_headers will also be true since
> there is nothing that alters skb after the else statements in the check
> below.
>
> >
> > 2328 if (PTR_ERR(skb) == -IXGBE_XDP_TX) {
> > 2329 xdp_xmit = true;
> > 2330 ixgbe_rx_buffer_flip(rx_ring, rx_buffer, size);
> > 2331 } else {
> > 2332 rx_buffer->pagecnt_bias++;
> > 2333 }
> > 2334 total_rx_packets++;
> > 2335 total_rx_bytes += size;
> > 2336 } else if (skb) {
> > 2337 ixgbe_add_rx_frag(rx_ring, rx_buffer, skb, size);
> > 2338 } else if (ring_uses_build_skb(rx_ring)) {
> > 2339 skb = ixgbe_build_skb(rx_ring, rx_buffer,
> > 2340 &xdp, rx_desc);
> > 2341 } else {
> > 2342 skb = ixgbe_construct_skb(rx_ring, rx_buffer,
> > 2343 &xdp, rx_desc);
> > 2344 }
> > 2345
> > 2346 /* exit if we failed to retrieve a buffer */
> > 2347 if (!skb) {
> > 2348 rx_ring->rx_stats.alloc_rx_buff_failed++;
> > 2349 rx_buffer->pagecnt_bias++;
> > 2350 break;
> > 2351 }
> > 2352
> > 2353 ixgbe_put_rx_buffer(rx_ring, rx_buffer, skb);
> > 2354 cleaned_count++;
> > 2355
> > 2356 /* place incomplete frames back on ring for completion */
> > 2357 if (ixgbe_is_non_eop(rx_ring, rx_desc, skb))
> > 2358 continue;
> > 2359
> > 2360 /* verify the packet layout is correct */
> > 2361 if (ixgbe_cleanup_headers(rx_ring, rx_desc, skb))
> > 2362 continue;
> > 2363
> > 2364 /* probably a little skewed due to removing CRC */
> > 2365 total_rx_bytes += skb->len;
> > ^^^^^^^^
> > Then this is a potential Oops. Possibly some of the earlier uses are
> > wrong. Or possibly we always hit a continue? It's either buggy or
> > there should probably be a comment explaining what's going on...
>
> This is after ixgbe_cleanup_headers. Take a look in the code there. If
> the value IS_ERR(skb) evaluates to true then the function returns true
> so you won't execute the code.
>
Ah. Right. I see that now. The problem is that my cross function
database wasn't totally in sync yet so it marked that first return as
impossible because we didn't use to pass error pointers there. (Or
because it got confused somewhere possibly).
There is still a dereference inside ixgbe_is_non_eop() so maybe we
should check for ixgbe_cleanup_headers() before checking
ixgbe_is_non_eop()? That code wasn't immediately obvious to me.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions
2017-05-02 22:39 ` Dan Carpenter
@ 2017-05-02 22:44 ` Alexander Duyck
2017-05-02 22:50 ` Dan Carpenter
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Duyck @ 2017-05-02 22:44 UTC (permalink / raw)
To: intel-wired-lan
On Tue, May 2, 2017 at 3:39 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, May 02, 2017 at 08:38:19PM +0000, Duyck, Alexander H wrote:
>> On Tue, 2017-05-02 at 22:29 +0300, Dan Carpenter wrote:
>> > Hello John Fastabend,
>> >
>> > The patch 924708081629: "ixgbe: add XDP support for pass and drop
>> > actions" from Apr 24, 2017, leads to the following static checker
>> > warning:
>> >
>> > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:2365 ixgbe_clean_rx_irq()
>> > error: 'skb' dereferencing possible ERR_PTR()
>> >
>> > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
>> > 2326
>> > 2327 if (IS_ERR(skb)) {
>> > ^^^^^^^^^^
>> > Assume that this is true.
>>
>> If this is true then ixgbe_cleanup_headers will also be true since
>> there is nothing that alters skb after the else statements in the check
>> below.
>>
>> >
>> > 2328 if (PTR_ERR(skb) == -IXGBE_XDP_TX) {
>> > 2329 xdp_xmit = true;
>> > 2330 ixgbe_rx_buffer_flip(rx_ring, rx_buffer, size);
>> > 2331 } else {
>> > 2332 rx_buffer->pagecnt_bias++;
>> > 2333 }
>> > 2334 total_rx_packets++;
>> > 2335 total_rx_bytes += size;
>> > 2336 } else if (skb) {
>> > 2337 ixgbe_add_rx_frag(rx_ring, rx_buffer, skb, size);
>> > 2338 } else if (ring_uses_build_skb(rx_ring)) {
>> > 2339 skb = ixgbe_build_skb(rx_ring, rx_buffer,
>> > 2340 &xdp, rx_desc);
>> > 2341 } else {
>> > 2342 skb = ixgbe_construct_skb(rx_ring, rx_buffer,
>> > 2343 &xdp, rx_desc);
>> > 2344 }
>> > 2345
>> > 2346 /* exit if we failed to retrieve a buffer */
>> > 2347 if (!skb) {
>> > 2348 rx_ring->rx_stats.alloc_rx_buff_failed++;
>> > 2349 rx_buffer->pagecnt_bias++;
>> > 2350 break;
>> > 2351 }
>> > 2352
>> > 2353 ixgbe_put_rx_buffer(rx_ring, rx_buffer, skb);
>> > 2354 cleaned_count++;
>> > 2355
>> > 2356 /* place incomplete frames back on ring for completion */
>> > 2357 if (ixgbe_is_non_eop(rx_ring, rx_desc, skb))
>> > 2358 continue;
>> > 2359
>> > 2360 /* verify the packet layout is correct */
>> > 2361 if (ixgbe_cleanup_headers(rx_ring, rx_desc, skb))
>> > 2362 continue;
>> > 2363
>> > 2364 /* probably a little skewed due to removing CRC */
>> > 2365 total_rx_bytes += skb->len;
>> > ^^^^^^^^
>> > Then this is a potential Oops. Possibly some of the earlier uses are
>> > wrong. Or possibly we always hit a continue? It's either buggy or
>> > there should probably be a comment explaining what's going on...
>>
>> This is after ixgbe_cleanup_headers. Take a look in the code there. If
>> the value IS_ERR(skb) evaluates to true then the function returns true
>> so you won't execute the code.
>>
>
> Ah. Right. I see that now. The problem is that my cross function
> database wasn't totally in sync yet so it marked that first return as
> impossible because we didn't use to pass error pointers there. (Or
> because it got confused somewhere possibly).
>
> There is still a dereference inside ixgbe_is_non_eop() so maybe we
> should check for ixgbe_cleanup_headers() before checking
> ixgbe_is_non_eop()? That code wasn't immediately obvious to me.
The IS_ERR value should only be used if XDP is enabled, which requires
that LRO/RSC be disabled. As such we should not be able to get into
the dereference path with the IS_ERR result.
- Alex
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions
2017-05-02 22:44 ` Alexander Duyck
@ 2017-05-02 22:50 ` Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2017-05-02 22:50 UTC (permalink / raw)
To: intel-wired-lan
Ok. Thanks. That is hella subtle, though... Anyway, my DB will be
synced when I re-run Smatch so I'll never see the warning message again.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-02 22:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-02 19:29 [Intel-wired-lan] [bug report] ixgbe: add XDP support for pass and drop actions Dan Carpenter
2017-05-02 20:38 ` Duyck, Alexander H
2017-05-02 22:39 ` Dan Carpenter
2017-05-02 22:44 ` Alexander Duyck
2017-05-02 22:50 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.