From: Andre Przywara <andre.przywara@arm.com>
To: "David S . Miller" <davem@davemloft.net>,
Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Cc: Michal Simek <michal.simek@xilinx.com>,
Robert Hancock <hancock@sedsystems.ca>,
netdev@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 03/14] net: axienet: Fix DMA descriptor cleanup path
Date: Fri, 10 Jan 2020 11:54:04 +0000 [thread overview]
Message-ID: <20200110115415.75683-4-andre.przywara@arm.com> (raw)
In-Reply-To: <20200110115415.75683-1-andre.przywara@arm.com>
When axienet_dma_bd_init() bails out during the initialisation process,
it might do so with parts of the structure already allocated and
initialised, while other parts have not been touched yet. Before
returning in this case, we call axienet_dma_bd_release(), which does not
take care of this corner case.
This is most obvious by the first loop happily dereferencing
lp->rx_bd_v, which we actually check to be non NULL *afterwards*.
Make sure we only unmap or free already allocated structures, by:
- directly returning with -ENOMEM if nothing has been allocated at all
- checking for lp->rx_bd_v to be non-NULL *before* using it
- only unmapping allocated DMA RX regions
This avoids NULL pointer dereferences when initialisation fails.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 43 ++++++++++++-------
1 file changed, 28 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 97482cf093ce..7e90044cf2d9 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -160,24 +160,37 @@ static void axienet_dma_bd_release(struct net_device *ndev)
int i;
struct axienet_local *lp = netdev_priv(ndev);
+ /* If we end up here, tx_bd_v must have been DMA allocated. */
+ dma_free_coherent(ndev->dev.parent,
+ sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
+ lp->tx_bd_v,
+ lp->tx_bd_p);
+
+ if (!lp->rx_bd_v)
+ return;
+
for (i = 0; i < lp->rx_bd_num; i++) {
- dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
- lp->max_frm_size, DMA_FROM_DEVICE);
+ /* A NULL skb means this descriptor has not been initialised
+ * at all.
+ */
+ if (!lp->rx_bd_v[i].skb)
+ break;
+
dev_kfree_skb(lp->rx_bd_v[i].skb);
- }
- if (lp->rx_bd_v) {
- dma_free_coherent(ndev->dev.parent,
- sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
- lp->rx_bd_v,
- lp->rx_bd_p);
- }
- if (lp->tx_bd_v) {
- dma_free_coherent(ndev->dev.parent,
- sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
- lp->tx_bd_v,
- lp->tx_bd_p);
+ /* For each descriptor, we programmed cntrl with the (non-zero)
+ * descriptor size, after it had been successfully allocated.
+ * So a non-zero value in there means we need to unmap it.
+ */
+ if (lp->rx_bd_v[i].cntrl)
+ dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
+ lp->max_frm_size, DMA_FROM_DEVICE);
}
+
+ dma_free_coherent(ndev->dev.parent,
+ sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
+ lp->rx_bd_v,
+ lp->rx_bd_p);
}
/**
@@ -207,7 +220,7 @@ static int axienet_dma_bd_init(struct net_device *ndev)
sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
&lp->tx_bd_p, GFP_KERNEL);
if (!lp->tx_bd_v)
- goto out;
+ return -ENOMEM;
lp->rx_bd_v = dma_alloc_coherent(ndev->dev.parent,
sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Andre Przywara <andre.przywara@arm.com>
To: "David S . Miller" <davem@davemloft.net>,
Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Cc: Robert Hancock <hancock@sedsystems.ca>,
netdev@vger.kernel.org, Michal Simek <michal.simek@xilinx.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 03/14] net: axienet: Fix DMA descriptor cleanup path
Date: Fri, 10 Jan 2020 11:54:04 +0000 [thread overview]
Message-ID: <20200110115415.75683-4-andre.przywara@arm.com> (raw)
In-Reply-To: <20200110115415.75683-1-andre.przywara@arm.com>
When axienet_dma_bd_init() bails out during the initialisation process,
it might do so with parts of the structure already allocated and
initialised, while other parts have not been touched yet. Before
returning in this case, we call axienet_dma_bd_release(), which does not
take care of this corner case.
This is most obvious by the first loop happily dereferencing
lp->rx_bd_v, which we actually check to be non NULL *afterwards*.
Make sure we only unmap or free already allocated structures, by:
- directly returning with -ENOMEM if nothing has been allocated at all
- checking for lp->rx_bd_v to be non-NULL *before* using it
- only unmapping allocated DMA RX regions
This avoids NULL pointer dereferences when initialisation fails.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
---
.../net/ethernet/xilinx/xilinx_axienet_main.c | 43 ++++++++++++-------
1 file changed, 28 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
index 97482cf093ce..7e90044cf2d9 100644
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
@@ -160,24 +160,37 @@ static void axienet_dma_bd_release(struct net_device *ndev)
int i;
struct axienet_local *lp = netdev_priv(ndev);
+ /* If we end up here, tx_bd_v must have been DMA allocated. */
+ dma_free_coherent(ndev->dev.parent,
+ sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
+ lp->tx_bd_v,
+ lp->tx_bd_p);
+
+ if (!lp->rx_bd_v)
+ return;
+
for (i = 0; i < lp->rx_bd_num; i++) {
- dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
- lp->max_frm_size, DMA_FROM_DEVICE);
+ /* A NULL skb means this descriptor has not been initialised
+ * at all.
+ */
+ if (!lp->rx_bd_v[i].skb)
+ break;
+
dev_kfree_skb(lp->rx_bd_v[i].skb);
- }
- if (lp->rx_bd_v) {
- dma_free_coherent(ndev->dev.parent,
- sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
- lp->rx_bd_v,
- lp->rx_bd_p);
- }
- if (lp->tx_bd_v) {
- dma_free_coherent(ndev->dev.parent,
- sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
- lp->tx_bd_v,
- lp->tx_bd_p);
+ /* For each descriptor, we programmed cntrl with the (non-zero)
+ * descriptor size, after it had been successfully allocated.
+ * So a non-zero value in there means we need to unmap it.
+ */
+ if (lp->rx_bd_v[i].cntrl)
+ dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
+ lp->max_frm_size, DMA_FROM_DEVICE);
}
+
+ dma_free_coherent(ndev->dev.parent,
+ sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
+ lp->rx_bd_v,
+ lp->rx_bd_p);
}
/**
@@ -207,7 +220,7 @@ static int axienet_dma_bd_init(struct net_device *ndev)
sizeof(*lp->tx_bd_v) * lp->tx_bd_num,
&lp->tx_bd_p, GFP_KERNEL);
if (!lp->tx_bd_v)
- goto out;
+ return -ENOMEM;
lp->rx_bd_v = dma_alloc_coherent(ndev->dev.parent,
sizeof(*lp->rx_bd_v) * lp->rx_bd_num,
--
2.17.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-01-10 11:54 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-10 11:54 [PATCH 00/14] net: axienet: Error handling, SGMII and 64-bit DMA fixes Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 11:54 ` [PATCH 01/14] net: xilinx: temac: Relax Kconfig dependencies Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 14:19 ` Radhey Shyam Pandey
2020-01-10 14:19 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 02/14] net: axienet: Propagate failure of DMA descriptor setup Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 14:54 ` Radhey Shyam Pandey
2020-01-10 14:54 ` Radhey Shyam Pandey
2020-01-10 17:53 ` Radhey Shyam Pandey
2020-01-10 17:53 ` Radhey Shyam Pandey
2020-01-10 11:54 ` Andre Przywara [this message]
2020-01-10 11:54 ` [PATCH 03/14] net: axienet: Fix DMA descriptor cleanup path Andre Przywara
2020-01-10 15:14 ` Radhey Shyam Pandey
2020-01-10 15:14 ` Radhey Shyam Pandey
2020-01-10 15:43 ` Andre Przywara
2020-01-10 15:43 ` Andre Przywara
2020-01-10 17:05 ` Radhey Shyam Pandey
2020-01-10 17:05 ` Radhey Shyam Pandey
2020-01-16 18:03 ` Andre Przywara
2020-01-16 18:03 ` Andre Przywara
2020-01-20 18:32 ` Radhey Shyam Pandey
2020-01-20 18:32 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 04/14] net: axienet: Improve DMA error handling Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 15:26 ` Radhey Shyam Pandey
2020-01-10 15:26 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 05/14] net: axienet: Factor out TX descriptor chain cleanup Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 18:04 ` Radhey Shyam Pandey
2020-01-10 18:04 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 06/14] net: axienet: Check for DMA mapping errors Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-13 5:54 ` Radhey Shyam Pandey
2020-01-13 5:54 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 07/14] net: axienet: Fix SGMII support Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 14:04 ` Andrew Lunn
2020-01-10 14:04 ` Andrew Lunn
2020-01-10 14:20 ` Andre Przywara
2020-01-10 14:20 ` Andre Przywara
2020-01-10 14:26 ` Andrew Lunn
2020-01-10 14:26 ` Andrew Lunn
2020-01-10 15:04 ` Russell King - ARM Linux admin
2020-01-10 15:04 ` Russell King - ARM Linux admin
2020-01-10 15:22 ` Russell King - ARM Linux admin
2020-01-10 15:22 ` Russell King - ARM Linux admin
2020-01-10 17:04 ` Russell King - ARM Linux admin
2020-01-10 17:04 ` Russell King - ARM Linux admin
2020-01-18 11:22 ` Russell King - ARM Linux admin
2020-01-18 11:22 ` Russell King - ARM Linux admin
2020-01-20 14:50 ` Andre Przywara
2020-01-20 14:50 ` Andre Przywara
2020-01-20 15:45 ` Russell King - ARM Linux admin
2020-01-20 15:45 ` Russell King - ARM Linux admin
2020-01-27 17:04 ` Andre Przywara
2020-01-27 17:04 ` Andre Przywara
2020-01-27 17:20 ` Radhey Shyam Pandey
2020-01-27 17:20 ` Radhey Shyam Pandey
2020-01-27 18:53 ` Russell King - ARM Linux admin
2020-01-27 18:53 ` Russell King - ARM Linux admin
2020-04-22 1:45 ` Xilinx axienet 1000BaseX support (was: Re: [PATCH 07/14] net: axienet: Fix SGMII support) Robert Hancock
2020-04-22 1:45 ` Robert Hancock
2020-04-22 7:51 ` Russell King - ARM Linux admin
2020-04-22 7:51 ` Russell King - ARM Linux admin
2020-04-22 16:31 ` Xilinx axienet 1000BaseX support Robert Hancock
2020-04-22 16:31 ` Robert Hancock
2020-04-28 21:59 ` Robert Hancock
2020-04-28 21:59 ` Robert Hancock
2020-04-28 23:01 ` Russell King - ARM Linux admin
2020-04-28 23:01 ` Russell King - ARM Linux admin
2020-04-28 23:51 ` Robert Hancock
2020-04-28 23:51 ` Robert Hancock
2020-04-29 8:21 ` Russell King - ARM Linux admin
2020-04-29 8:21 ` Russell King - ARM Linux admin
2020-01-10 14:58 ` [PATCH 07/14] net: axienet: Fix SGMII support Russell King - ARM Linux admin
2020-01-10 14:58 ` Russell King - ARM Linux admin
2020-01-10 17:32 ` Andre Przywara
2020-01-10 17:32 ` Andre Przywara
2020-01-10 18:05 ` Russell King - ARM Linux admin
2020-01-10 18:05 ` Russell King - ARM Linux admin
2020-01-10 19:33 ` Andrew Lunn
2020-01-10 19:33 ` Andrew Lunn
2020-01-10 11:54 ` [PATCH 08/14] net: axienet: Drop MDIO interrupt registers from ethtools dump Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-13 6:02 ` Radhey Shyam Pandey
2020-01-13 6:02 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 09/14] net: axienet: Add mii-tool support Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-13 6:12 ` Radhey Shyam Pandey
2020-01-13 6:12 ` Radhey Shyam Pandey
2020-03-12 11:41 ` Andre Przywara
2020-03-12 11:41 ` Andre Przywara
2020-01-10 11:54 ` [PATCH 10/14] net: axienet: Wrap DMA pointer writes to prepare for 64 bit Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 11:54 ` [PATCH 11/14] net: axienet: Upgrade descriptors to hold 64-bit addresses Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-14 16:35 ` Radhey Shyam Pandey
2020-01-14 16:35 ` Radhey Shyam Pandey
2020-01-14 17:29 ` Andre Przywara
2020-01-14 17:29 ` Andre Przywara
2020-01-10 11:54 ` [PATCH 12/14] net: axienet: Autodetect 64-bit DMA capability Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 14:08 ` Andrew Lunn
2020-01-10 14:08 ` Andrew Lunn
2020-01-10 14:13 ` Andre Przywara
2020-01-10 14:13 ` Andre Przywara
2020-01-10 14:22 ` Andrew Lunn
2020-01-10 14:22 ` Andrew Lunn
2020-01-10 15:08 ` Andre Przywara
2020-01-10 15:08 ` Andre Przywara
2020-01-10 15:22 ` Andrew Lunn
2020-01-10 15:22 ` Andrew Lunn
2020-01-14 17:03 ` Radhey Shyam Pandey
2020-01-14 17:03 ` Radhey Shyam Pandey
2020-01-14 17:41 ` Andre Przywara
2020-01-14 17:41 ` Andre Przywara
2020-01-15 6:02 ` Radhey Shyam Pandey
2020-01-15 6:02 ` Radhey Shyam Pandey
2020-01-10 11:54 ` [PATCH 13/14] net: axienet: Allow DMA to beyond 4GB Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-10 11:54 ` [PATCH 14/14] net: axienet: Update devicetree binding documentation Andre Przywara
2020-01-10 11:54 ` Andre Przywara
2020-01-21 21:51 ` Rob Herring
2020-01-21 21:51 ` Rob Herring
2020-01-24 16:29 ` Andre Przywara
2020-01-24 16:29 ` Andre Przywara
2020-01-27 9:28 ` Radhey Shyam Pandey
2020-01-27 9:28 ` Radhey Shyam Pandey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200110115415.75683-4-andre.przywara@arm.com \
--to=andre.przywara@arm.com \
--cc=davem@davemloft.net \
--cc=hancock@sedsystems.ca \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.simek@xilinx.com \
--cc=netdev@vger.kernel.org \
--cc=radhey.shyam.pandey@xilinx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.