[PATCH net 0/2] net: ipa: fix page free in two spots

[PATCH net 0/2] net: ipa: fix page free in two spots

[Alex Elder]

When a receive buffer is not wrapped in an SKB and passed to the
network stack, the (compound) page gets freed within the IPA driver.
This is currently quite rare.

The pages are freed using __free_pages(), but they should instead be
freed using page_put().  This series fixes this, in two spots.

These patches work for Linux v5.18-rc7 and v5.17.y, but won't apply
cleanly to earlier stable branches.  (Nevertheless, the fix is
trivial.)

					-Alex

Alex Elder (2):
  net: ipa: fix page free in ipa_endpoint_trans_release()
  net: ipa: fix page free in ipa_endpoint_replenish_one()

 drivers/net/ipa/ipa_endpoint.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

-- 
2.32.0

[PATCH net 1/2] net: ipa: fix page free in ipa_endpoint_trans_release()

[Alex Elder]

Currently the (possibly compound) page used for receive buffers are
freed using __free_pages().  But according to this comment above the
definition of that function, that's wrong:
    If you want to use the page's reference count to decide when
    to free the allocation, you should allocate a compound page,
    and use put_page() instead of __free_pages().

Convert the call to __free_pages() in ipa_endpoint_trans_release()
to use put_page() instead.

Fixes: ed23f02680caa ("net: ipa: define per-endpoint receive buffer size")
Signed-off-by: Alex Elder <elder@linaro.org>
---
 drivers/net/ipa/ipa_endpoint.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ipa/ipa_endpoint.c b/drivers/net/ipa/ipa_endpoint.c
index 0f489723689c5..675b7135644b8 100644
--- a/drivers/net/ipa/ipa_endpoint.c
+++ b/drivers/net/ipa/ipa_endpoint.c
@@ -1385,11 +1385,8 @@ void ipa_endpoint_trans_release(struct ipa_endpoint *endpoint,
 	} else {
 		struct page *page = trans->data;
 
-		if (page) {
-			u32 buffer_size = endpoint->config.rx.buffer_size;
-
-			__free_pages(page, get_order(buffer_size));
-		}
+		if (page)
+			put_page(page);
 	}
 }
 
-- 
2.32.0

[PATCH net 2/2] net: ipa: fix page free in ipa_endpoint_replenish_one()

[Alex Elder]

Currently the (possibly compound) pages used for receive buffers are
freed using __free_pages().  But according to this comment above the
definition of that function, that's wrong:
    If you want to use the page's reference count to decide
    when to free the allocation, you should allocate a compound
    page, and use put_page() instead of __free_pages().

Convert the call to __free_pages() in ipa_endpoint_replenish_one()
to use put_page() instead.

Fixes: 6a606b90153b8 ("net: ipa: allocate transaction in replenish loop")
Signed-off-by: Alex Elder <elder@linaro.org>
---
 drivers/net/ipa/ipa_endpoint.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ipa/ipa_endpoint.c b/drivers/net/ipa/ipa_endpoint.c
index 675b7135644b8..dac4845cf596c 100644
--- a/drivers/net/ipa/ipa_endpoint.c
+++ b/drivers/net/ipa/ipa_endpoint.c
@@ -1062,7 +1062,7 @@ static int ipa_endpoint_replenish_one(struct ipa_endpoint *endpoint,
 
 	ret = gsi_trans_page_add(trans, page, len, offset);
 	if (ret)
-		__free_pages(page, get_order(buffer_size));
+		put_page(page);
 	else
 		trans->data = page;	/* transaction owns page now */
 
-- 
2.32.0

Re: [PATCH net 0/2] net: ipa: fix page free in two spots

[Alex Elder]

On 5/21/22 7:59 PM, Alex Elder wrote:
> When a receive buffer is not wrapped in an SKB and passed to the
> network stack, the (compound) page gets freed within the IPA driver.
> This is currently quite rare.
> 
> The pages are freed using __free_pages(), but they should instead be
> freed using page_put().  This series fixes this, in two spots.
> 
> These patches work for Linux v5.18-rc7 and v5.17.y, but won't apply
> cleanly to earlier stable branches.  (Nevertheless, the fix is
> trivial.)
> 
> 					-Alex

I accidentally based this on net-next/master rather than net/master.
Sorry about that.  I'll send version 2 in a few days.

					-Alex

> Alex Elder (2):
>    net: ipa: fix page free in ipa_endpoint_trans_release()
>    net: ipa: fix page free in ipa_endpoint_replenish_one()
> 
>   drivers/net/ipa/ipa_endpoint.c | 9 +++------
>   1 file changed, 3 insertions(+), 6 deletions(-)
> 

Re: [PATCH net 0/2] net: ipa: fix page free in two spots

[David Miller]

From: Alex Elder <elder@linaro.org>
Date: Sat, 21 May 2022 19:59:57 -0500

> When a receive buffer is not wrapped in an SKB and passed to the
> network stack, the (compound) page gets freed within the IPA driver.
> This is currently quite rare.
> 
> The pages are freed using __free_pages(), but they should instead be
> freed using page_put().  This series fixes this, in two spots.
> 
> These patches work for Linux v5.18-rc7 and v5.17.y, but won't apply
> cleanly to earlier stable branches.  (Nevertheless, the fix is
> trivial.)

This does not apply to the current net tree, please respin.

Thank you.