Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH net 0/3] net: hns3: fixes for -net
@ 2019-12-03  3:08 Huazhong Tan
  2019-12-03  3:08 ` [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem Huazhong Tan
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Huazhong Tan @ 2019-12-03  3:08 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, Huazhong Tan

This series includes misc fixes for the HNS3 ethernet driver.

[patch 1/3] fixes a TX queue not restarted problem.

[patch 2/3] fixes a use-after-free issue.

[patch 3/3] fixes a VF ID issue for setting VF VLAN.


Jian Shen (1):
  net: hns3: fix VF ID issue for setting VF VLAN

Yunsheng Lin (2):
  net: hns3: fix for TX queue not restarted problem
  net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()

 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c    | 53 ++++++++++++----------
 .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c    | 18 +++-----
 2 files changed, 34 insertions(+), 37 deletions(-)

-- 
2.7.4


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem
  2019-12-03  3:08 [PATCH net 0/3] net: hns3: fixes for -net Huazhong Tan
@ 2019-12-03  3:08 ` Huazhong Tan
  2019-12-03  3:25   ` David Miller
  2019-12-03  3:08 ` [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() Huazhong Tan
  2019-12-03  3:08 ` [PATCH net 3/3] net: hns3: fix VF ID issue for setting VF VLAN Huazhong Tan
  2 siblings, 1 reply; 12+ messages in thread
From: Huazhong Tan @ 2019-12-03  3:08 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, Yunsheng Lin, Huazhong Tan

From: Yunsheng Lin <linyunsheng@huawei.com>

There is timing window between ring_space checking and
netif_stop_subqueue when transmiting a SKB, and the TX BD
cleaning may be executed during the time window, which may
caused TX queue not restarted problem.

This patch fixes it by rechecking the ring_space after
netif_stop_subqueue to make sure TX queue is restarted.

Also, the ring->next_to_clean is updated even when pkts is
zero, because all the TX BD cleaned may be non-SKB, so it
needs to check if TX queue need to be restarted.

Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 36 ++++++++++++++++---------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index ba05368..b2bb8e2 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -1286,13 +1286,16 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
 	return false;
 }
 
-static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
+static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
 				  struct sk_buff **out_skb)
 {
+	struct hns3_nic_priv *priv = netdev_priv(netdev);
 	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
 	struct sk_buff *skb = *out_skb;
+	struct hns3_enet_ring *ring;
 	unsigned int bd_num;
 
+	ring = &priv->ring[skb->queue_mapping];
 	bd_num = hns3_tx_bd_num(skb, bd_size);
 	if (unlikely(bd_num > HNS3_MAX_NON_TSO_BD_NUM)) {
 		struct sk_buff *new_skb;
@@ -1320,10 +1323,23 @@ static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
 	}
 
 out:
-	if (unlikely(ring_space(ring) < bd_num))
-		return -EBUSY;
+	if (likely(ring_space(ring) >= bd_num))
+		return bd_num;
 
-	return bd_num;
+	netif_stop_subqueue(netdev, ring->queue_index);
+	smp_mb(); /* Memory barrier before checking ring_space */
+
+	/* Start queue in case hns3_clean_tx_ring has just made room
+	 * available and has not seen the queue stopped state performed
+	 * by netif_stop_subqueue above.
+	 */
+	if (ring_space(ring) >= bd_num && netif_carrier_ok(netdev) &&
+	    !test_bit(HNS3_NIC_STATE_DOWN, &priv->state)) {
+		netif_start_subqueue(netdev, ring->queue_index);
+		return bd_num;
+	}
+
+	return -EBUSY;
 }
 
 static void hns3_clear_desc(struct hns3_enet_ring *ring, int next_to_use_orig)
@@ -1400,13 +1416,13 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev)
 	/* Prefetch the data used later */
 	prefetch(skb->data);
 
-	ret = hns3_nic_maybe_stop_tx(ring, &skb);
+	ret = hns3_nic_maybe_stop_tx(netdev, &skb);
 	if (unlikely(ret <= 0)) {
 		if (ret == -EBUSY) {
 			u64_stats_update_begin(&ring->syncp);
 			ring->stats.tx_busy++;
 			u64_stats_update_end(&ring->syncp);
-			goto out_net_tx_busy;
+			return NETDEV_TX_BUSY;
 		} else if (ret == -ENOMEM) {
 			u64_stats_update_begin(&ring->syncp);
 			ring->stats.sw_err_cnt++;
@@ -1457,12 +1473,6 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev)
 out_err_tx_ok:
 	dev_kfree_skb_any(skb);
 	return NETDEV_TX_OK;
-
-out_net_tx_busy:
-	netif_stop_subqueue(netdev, ring->queue_index);
-	smp_mb(); /* Commit all data before submit */
-
-	return NETDEV_TX_BUSY;
 }
 
 static int hns3_nic_net_set_mac_address(struct net_device *netdev, void *p)
@@ -2519,7 +2529,7 @@ void hns3_clean_tx_ring(struct hns3_enet_ring *ring)
 	dev_queue = netdev_get_tx_queue(netdev, ring->tqp->tqp_index);
 	netdev_tx_completed_queue(dev_queue, pkts, bytes);
 
-	if (unlikely(pkts && netif_carrier_ok(netdev) &&
+	if (unlikely(netif_carrier_ok(netdev) &&
 		     ring_space(ring) > HNS3_MAX_TSO_BD_NUM)) {
 		/* Make sure that anybody stopping the queue after this
 		 * sees the new next_to_clean.
-- 
2.7.4


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  2019-12-03  3:08 [PATCH net 0/3] net: hns3: fixes for -net Huazhong Tan
  2019-12-03  3:08 ` [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem Huazhong Tan
@ 2019-12-03  3:08 ` Huazhong Tan
  2019-12-03  3:28   ` David Miller
  2019-12-03  3:08 ` [PATCH net 3/3] net: hns3: fix VF ID issue for setting VF VLAN Huazhong Tan
  2 siblings, 1 reply; 12+ messages in thread
From: Huazhong Tan @ 2019-12-03  3:08 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, Yunsheng Lin, Huazhong Tan

From: Yunsheng Lin <linyunsheng@huawei.com>

Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
SKB if the BD num required by the SKB does not meet the hardware
limitation, and it linearizes the SKB by allocating a new SKB and
freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY,
the sch_direct_xmit() still hold reference to old SKB and try to
retransmit the old SKB when dev_hard_start_xmit() return TX_BUSY,
which may cause use after freed problem.

This patch fixes it by using __skb_linearize() to linearize the
SKB in hns3_nic_maybe_stop_tx().

Fixes: 51e8439f3496 ("net: hns3: add 8 BD limit for tx flow")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index b2bb8e2..cbdb688 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -1287,33 +1287,26 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
 }
 
 static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
-				  struct sk_buff **out_skb)
+				  struct sk_buff *skb)
 {
 	struct hns3_nic_priv *priv = netdev_priv(netdev);
 	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
-	struct sk_buff *skb = *out_skb;
 	struct hns3_enet_ring *ring;
 	unsigned int bd_num;
 
 	ring = &priv->ring[skb->queue_mapping];
 	bd_num = hns3_tx_bd_num(skb, bd_size);
 	if (unlikely(bd_num > HNS3_MAX_NON_TSO_BD_NUM)) {
-		struct sk_buff *new_skb;
 
 		if (bd_num <= HNS3_MAX_TSO_BD_NUM && skb_is_gso(skb) &&
 		    !hns3_skb_need_linearized(skb, bd_size, bd_num))
 			goto out;
 
-		/* manual split the send packet */
-		new_skb = skb_copy(skb, GFP_ATOMIC);
-		if (!new_skb)
+		if (__skb_linearize(skb))
 			return -ENOMEM;
-		dev_kfree_skb_any(skb);
-		*out_skb = new_skb;
-
-		bd_num = hns3_tx_bd_count(new_skb->len);
-		if ((skb_is_gso(new_skb) && bd_num > HNS3_MAX_TSO_BD_NUM) ||
-		    (!skb_is_gso(new_skb) &&
+		bd_num = hns3_tx_bd_count(skb->len);
+		if ((skb_is_gso(skb) && bd_num > HNS3_MAX_TSO_BD_NUM) ||
+		    (!skb_is_gso(skb) &&
 		     bd_num > HNS3_MAX_NON_TSO_BD_NUM))
 			return -ENOMEM;
 
@@ -1416,7 +1409,7 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev)
 	/* Prefetch the data used later */
 	prefetch(skb->data);
 
-	ret = hns3_nic_maybe_stop_tx(netdev, &skb);
+	ret = hns3_nic_maybe_stop_tx(netdev, skb);
 	if (unlikely(ret <= 0)) {
 		if (ret == -EBUSY) {
 			u64_stats_update_begin(&ring->syncp);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH net 3/3] net: hns3: fix VF ID issue for setting VF VLAN
  2019-12-03  3:08 [PATCH net 0/3] net: hns3: fixes for -net Huazhong Tan
  2019-12-03  3:08 ` [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem Huazhong Tan
  2019-12-03  3:08 ` [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() Huazhong Tan
@ 2019-12-03  3:08 ` Huazhong Tan
  2 siblings, 0 replies; 12+ messages in thread
From: Huazhong Tan @ 2019-12-03  3:08 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, Jian Shen, Huazhong Tan

From: Jian Shen <shenjian15@huawei.com>

Previously, when set VF VLAN with command "ip link set <pf name>
vf <vf id> vlan <vlan id>", the VF ID 0 is handled as PF incorrectly,
which should be the first VF. This patch fixes it.

Fixes: 21e043cd8124 ("net: hns3: fix set port based VLAN for PF")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
---
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c    | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 7c703867..d862e9b 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -8438,13 +8438,16 @@ static int hclge_set_vf_vlan_filter(struct hnae3_handle *handle, int vfid,
 	if (hdev->pdev->revision == 0x20)
 		return -EOPNOTSUPP;
 
+	vport = hclge_get_vf_vport(hdev, vfid);
+	if (!vport)
+		return -EINVAL;
+
 	/* qos is a 3 bits value, so can not be bigger than 7 */
-	if (vfid >= hdev->num_alloc_vfs || vlan > VLAN_N_VID - 1 || qos > 7)
+	if (vlan > VLAN_N_VID - 1 || qos > 7)
 		return -EINVAL;
 	if (proto != htons(ETH_P_8021Q))
 		return -EPROTONOSUPPORT;
 
-	vport = &hdev->vport[vfid];
 	state = hclge_get_port_base_vlan_state(vport,
 					       vport->port_base_vlan_cfg.state,
 					       vlan);
@@ -8455,21 +8458,12 @@ static int hclge_set_vf_vlan_filter(struct hnae3_handle *handle, int vfid,
 	vlan_info.qos = qos;
 	vlan_info.vlan_proto = ntohs(proto);
 
-	/* update port based VLAN for PF */
-	if (!vfid) {
-		hclge_notify_client(hdev, HNAE3_DOWN_CLIENT);
-		ret = hclge_update_port_base_vlan_cfg(vport, state, &vlan_info);
-		hclge_notify_client(hdev, HNAE3_UP_CLIENT);
-
-		return ret;
-	}
-
 	if (!test_bit(HCLGE_VPORT_STATE_ALIVE, &vport->state)) {
 		return hclge_update_port_base_vlan_cfg(vport, state,
 						       &vlan_info);
 	} else {
 		ret = hclge_push_vf_port_base_vlan_info(&hdev->vport[0],
-							(u8)vfid, state,
+							vport->vport_id, state,
 							vlan, qos,
 							ntohs(proto));
 		return ret;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem
  2019-12-03  3:08 ` [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem Huazhong Tan
@ 2019-12-03  3:25   ` David Miller
  2019-12-03  4:28     ` Yunsheng Lin
  0 siblings, 1 reply; 12+ messages in thread
From: David Miller @ 2019-12-03  3:25 UTC (permalink / raw)
  To: tanhuazhong
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, linyunsheng

From: Huazhong Tan <tanhuazhong@huawei.com>
Date: Tue, 3 Dec 2019 11:08:53 +0800

> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
> index ba05368..b2bb8e2 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
> @@ -1286,13 +1286,16 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
>  	return false;
>  }
>  
> -static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
> +static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
>  				  struct sk_buff **out_skb)
>  {
> +	struct hns3_nic_priv *priv = netdev_priv(netdev);
>  	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
>  	struct sk_buff *skb = *out_skb;
> +	struct hns3_enet_ring *ring;
>  	unsigned int bd_num;
>  
> +	ring = &priv->ring[skb->queue_mapping];

Please just pass the ring pointer into hns3_nic_maybe_stop_tx() instead of
needlessly recalculating it.

Thank you.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  2019-12-03  3:08 ` [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() Huazhong Tan
@ 2019-12-03  3:28   ` David Miller
  2019-12-03  4:22     ` Yunsheng Lin
  0 siblings, 1 reply; 12+ messages in thread
From: David Miller @ 2019-12-03  3:28 UTC (permalink / raw)
  To: tanhuazhong
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski, linyunsheng

From: Huazhong Tan <tanhuazhong@huawei.com>
Date: Tue, 3 Dec 2019 11:08:54 +0800

> From: Yunsheng Lin <linyunsheng@huawei.com>
> 
> Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
> SKB if the BD num required by the SKB does not meet the hardware
> limitation, and it linearizes the SKB by allocating a new SKB and
> freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY,
> the sch_direct_xmit() still hold reference to old SKB and try to
> retransmit the old SKB when dev_hard_start_xmit() return TX_BUSY,
> which may cause use after freed problem.
> 
> This patch fixes it by using __skb_linearize() to linearize the
> SKB in hns3_nic_maybe_stop_tx().
> 
> Fixes: 51e8439f3496 ("net: hns3: add 8 BD limit for tx flow")
> Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
> Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>

That's not what I see.

You're freeing the SKB in the caller of hns3_nic_maybe_stop_tx()
in the -ENOMEM case, not the generic qdisc code.

Standing practice is to always return NETIF_TX_OK in this case
and just pretend the frame was sent.

Grep for __skb_linearize use throughout various drivers to see
what I mean.  i40e is just one of several examples.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  2019-12-03  3:28   ` David Miller
@ 2019-12-03  4:22     ` Yunsheng Lin
  2019-12-03 19:57       ` David Miller
  0 siblings, 1 reply; 12+ messages in thread
From: Yunsheng Lin @ 2019-12-03  4:22 UTC (permalink / raw)
  To: David Miller, tanhuazhong
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski

On 2019/12/3 11:28, David Miller wrote:
> From: Huazhong Tan <tanhuazhong@huawei.com>
> Date: Tue, 3 Dec 2019 11:08:54 +0800
> 
>> From: Yunsheng Lin <linyunsheng@huawei.com>
>>
>> Currently, hns3_nic_maybe_stop_tx() uses skb_copy() to linearize a
>> SKB if the BD num required by the SKB does not meet the hardware
>> limitation, and it linearizes the SKB by allocating a new SKB and
>> freeing the old SKB, if hns3_nic_maybe_stop_tx() returns -EBUSY,
>> the sch_direct_xmit() still hold reference to old SKB and try to
>> retransmit the old SKB when dev_hard_start_xmit() return TX_BUSY,
>> which may cause use after freed problem.
>>
>> This patch fixes it by using __skb_linearize() to linearize the
>> SKB in hns3_nic_maybe_stop_tx().
>>
>> Fixes: 51e8439f3496 ("net: hns3: add 8 BD limit for tx flow")
>> Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
>> Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
> 
> That's not what I see.
> 
> You're freeing the SKB in the caller of hns3_nic_maybe_stop_tx()
> in the -ENOMEM case, not the generic qdisc code.
> 
> Standing practice is to always return NETIF_TX_OK in this case
> and just pretend the frame was sent.
> 
> Grep for __skb_linearize use throughout various drivers to see
> what I mean.  i40e is just one of several examples.

1. When skb_copy()/__skb_linearize()  returns failure, the
hns3_nic_maybe_stop_tx() does return -ENOMEM, and hns3_nic_net_xmit()
does free the skb before returning NETIF_TX_OK, which pretens the frame
was sent.

2. When skb_copy() returns success, the hns3_nic_maybe_stop_tx()
returns -EBUSY when there are not no enough space in the ring to
send the skb to hardware, and hns3_nic_net_xmit() will return
NETDEV_TX_BUSY to the upper layer, the upper layer will resend the old
skb later when driver wakes up the queue, but the old skb has been freed
by the hns3_nic_maybe_stop_tx(). Because when using the skb_copy() to
linearize a skb, it will return a new linearized skb, and the old skb is
freed, the upper layer does not have a reference to the new skb and resend
using the old skb, which casues a use after freed problem.

This patch is trying to fixes the case 2.

Maybe I should mention why hns3_nic_maybe_stop_tx() returns -EBUSY to
better describe the problem?


> 
> 
> .
> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem
  2019-12-03  3:25   ` David Miller
@ 2019-12-03  4:28     ` Yunsheng Lin
  2019-12-03  8:48       ` David Miller
  0 siblings, 1 reply; 12+ messages in thread
From: Yunsheng Lin @ 2019-12-03  4:28 UTC (permalink / raw)
  To: David Miller, tanhuazhong
  Cc: netdev, linux-kernel, salil.mehta, yisen.zhuang, linuxarm,
	jakub.kicinski

On 2019/12/3 11:25, David Miller wrote:
> From: Huazhong Tan <tanhuazhong@huawei.com>
> Date: Tue, 3 Dec 2019 11:08:53 +0800
> 
>> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>> index ba05368..b2bb8e2 100644
>> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>> @@ -1286,13 +1286,16 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
>>  	return false;
>>  }
>>  
>> -static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
>> +static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
>>  				  struct sk_buff **out_skb)
>>  {
>> +	struct hns3_nic_priv *priv = netdev_priv(netdev);
>>  	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
>>  	struct sk_buff *skb = *out_skb;
>> +	struct hns3_enet_ring *ring;
>>  	unsigned int bd_num;
>>  
>> +	ring = &priv->ring[skb->queue_mapping];
> 
> Please just pass the ring pointer into hns3_nic_maybe_stop_tx() instead of
> needlessly recalculating it.

The reason that I am passing the netdev instead of ring pointer is
that the netif_start_subqueue() need a netdev parameter, and the
netdev can not be derived from the ring pointer.

Do you think it is better to keep it as this patch, or add a new
netdevice parameter? like below:

static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
				  struct hns3_enet_ring *ring,
				  struct sk_buff **out_skb)



> 
> Thank you.
> 
> .
> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem
  2019-12-03  4:28     ` Yunsheng Lin
@ 2019-12-03  8:48       ` David Miller
  2019-12-04  1:32         ` Yunsheng Lin
  0 siblings, 1 reply; 12+ messages in thread
From: David Miller @ 2019-12-03  8:48 UTC (permalink / raw)
  To: linyunsheng
  Cc: tanhuazhong, netdev, linux-kernel, salil.mehta, yisen.zhuang,
	linuxarm, jakub.kicinski

From: Yunsheng Lin <linyunsheng@huawei.com>
Date: Tue, 3 Dec 2019 12:28:22 +0800

> On 2019/12/3 11:25, David Miller wrote:
>> From: Huazhong Tan <tanhuazhong@huawei.com>
>> Date: Tue, 3 Dec 2019 11:08:53 +0800
>> 
>>> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>> index ba05368..b2bb8e2 100644
>>> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>> @@ -1286,13 +1286,16 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
>>>  	return false;
>>>  }
>>>  
>>> -static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
>>> +static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
>>>  				  struct sk_buff **out_skb)
>>>  {
>>> +	struct hns3_nic_priv *priv = netdev_priv(netdev);
>>>  	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
>>>  	struct sk_buff *skb = *out_skb;
>>> +	struct hns3_enet_ring *ring;
>>>  	unsigned int bd_num;
>>>  
>>> +	ring = &priv->ring[skb->queue_mapping];
>> 
>> Please just pass the ring pointer into hns3_nic_maybe_stop_tx() instead of
>> needlessly recalculating it.
> 
> The reason that I am passing the netdev instead of ring pointer is
> that the netif_start_subqueue() need a netdev parameter, and the
> netdev can not be derived from the ring pointer.
> 
> Do you think it is better to keep it as this patch, or add a new
> netdevice parameter? like below:

Just add the netdev parameter, in addition to the ring parameter.

All arguments fit in the register argument passing conventions of
various cpus so the cost of adding the parameter is zero.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  2019-12-03  4:22     ` Yunsheng Lin
@ 2019-12-03 19:57       ` David Miller
  2019-12-04  1:33         ` Yunsheng Lin
  0 siblings, 1 reply; 12+ messages in thread
From: David Miller @ 2019-12-03 19:57 UTC (permalink / raw)
  To: linyunsheng
  Cc: tanhuazhong, netdev, linux-kernel, salil.mehta, yisen.zhuang,
	linuxarm, jakub.kicinski

From: Yunsheng Lin <linyunsheng@huawei.com>
Date: Tue, 3 Dec 2019 12:22:11 +0800

> 2. When skb_copy() returns success, the hns3_nic_maybe_stop_tx()
> returns -EBUSY when there are not no enough space in the ring to
> send the skb to hardware, and hns3_nic_net_xmit() will return
> NETDEV_TX_BUSY to the upper layer, the upper layer will resend the old
> skb later when driver wakes up the queue, but the old skb has been freed
> by the hns3_nic_maybe_stop_tx(). Because when using the skb_copy() to
> linearize a skb, it will return a new linearized skb, and the old skb is
> freed, the upper layer does not have a reference to the new skb and resend
> using the old skb, which casues a use after freed problem.
> 
> This patch is trying to fixes the case 2.
> 
> Maybe I should mention why hns3_nic_maybe_stop_tx() returns -EBUSY to
> better describe the problem?

I think it would help understand the code path you are fixing, yes.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem
  2019-12-03  8:48       ` David Miller
@ 2019-12-04  1:32         ` Yunsheng Lin
  0 siblings, 0 replies; 12+ messages in thread
From: Yunsheng Lin @ 2019-12-04  1:32 UTC (permalink / raw)
  To: David Miller
  Cc: tanhuazhong, netdev, linux-kernel, salil.mehta, yisen.zhuang,
	linuxarm, jakub.kicinski

On 2019/12/3 16:48, David Miller wrote:
> From: Yunsheng Lin <linyunsheng@huawei.com>
> Date: Tue, 3 Dec 2019 12:28:22 +0800
> 
>> On 2019/12/3 11:25, David Miller wrote:
>>> From: Huazhong Tan <tanhuazhong@huawei.com>
>>> Date: Tue, 3 Dec 2019 11:08:53 +0800
>>>
>>>> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>>> index ba05368..b2bb8e2 100644
>>>> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>>> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
>>>> @@ -1286,13 +1286,16 @@ static bool hns3_skb_need_linearized(struct sk_buff *skb, unsigned int *bd_size,
>>>>  	return false;
>>>>  }
>>>>  
>>>> -static int hns3_nic_maybe_stop_tx(struct hns3_enet_ring *ring,
>>>> +static int hns3_nic_maybe_stop_tx(struct net_device *netdev,
>>>>  				  struct sk_buff **out_skb)
>>>>  {
>>>> +	struct hns3_nic_priv *priv = netdev_priv(netdev);
>>>>  	unsigned int bd_size[HNS3_MAX_TSO_BD_NUM + 1U];
>>>>  	struct sk_buff *skb = *out_skb;
>>>> +	struct hns3_enet_ring *ring;
>>>>  	unsigned int bd_num;
>>>>  
>>>> +	ring = &priv->ring[skb->queue_mapping];
>>>
>>> Please just pass the ring pointer into hns3_nic_maybe_stop_tx() instead of
>>> needlessly recalculating it.
>>
>> The reason that I am passing the netdev instead of ring pointer is
>> that the netif_start_subqueue() need a netdev parameter, and the
>> netdev can not be derived from the ring pointer.
>>
>> Do you think it is better to keep it as this patch, or add a new
>> netdevice parameter? like below:
> 
> Just add the netdev parameter, in addition to the ring parameter.
> 
> All arguments fit in the register argument passing conventions of
> various cpus so the cost of adding the parameter is zero.

Ok, thanks.

> 
> .
> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  2019-12-03 19:57       ` David Miller
@ 2019-12-04  1:33         ` Yunsheng Lin
  0 siblings, 0 replies; 12+ messages in thread
From: Yunsheng Lin @ 2019-12-04  1:33 UTC (permalink / raw)
  To: David Miller
  Cc: tanhuazhong, netdev, linux-kernel, salil.mehta, yisen.zhuang,
	linuxarm, jakub.kicinski

On 2019/12/4 3:57, David Miller wrote:
> From: Yunsheng Lin <linyunsheng@huawei.com>
> Date: Tue, 3 Dec 2019 12:22:11 +0800
> 
>> 2. When skb_copy() returns success, the hns3_nic_maybe_stop_tx()
>> returns -EBUSY when there are not no enough space in the ring to
>> send the skb to hardware, and hns3_nic_net_xmit() will return
>> NETDEV_TX_BUSY to the upper layer, the upper layer will resend the old
>> skb later when driver wakes up the queue, but the old skb has been freed
>> by the hns3_nic_maybe_stop_tx(). Because when using the skb_copy() to
>> linearize a skb, it will return a new linearized skb, and the old skb is
>> freed, the upper layer does not have a reference to the new skb and resend
>> using the old skb, which casues a use after freed problem.
>>
>> This patch is trying to fixes the case 2.
>>
>> Maybe I should mention why hns3_nic_maybe_stop_tx() returns -EBUSY to
>> better describe the problem?
> 
> I think it would help understand the code path you are fixing, yes.

Will mention that in the next version, thanks.

> 
> .
> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-03  3:08 [PATCH net 0/3] net: hns3: fixes for -net Huazhong Tan
2019-12-03  3:08 ` [PATCH net 1/3] net: hns3: fix for TX queue not restarted problem Huazhong Tan
2019-12-03  3:25   ` David Miller
2019-12-03  4:28     ` Yunsheng Lin
2019-12-03  8:48       ` David Miller
2019-12-04  1:32         ` Yunsheng Lin
2019-12-03  3:08 ` [PATCH net 2/3] net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx() Huazhong Tan
2019-12-03  3:28   ` David Miller
2019-12-03  4:22     ` Yunsheng Lin
2019-12-03 19:57       ` David Miller
2019-12-04  1:33         ` Yunsheng Lin
2019-12-03  3:08 ` [PATCH net 3/3] net: hns3: fix VF ID issue for setting VF VLAN Huazhong Tan

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git