From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3A5BEA0032 for ; Fri, 18 Feb 2022 13:41:49 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3341240141; Fri, 18 Feb 2022 13:41:49 +0100 (CET) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mails.dpdk.org (Postfix) with ESMTP id 01ACC40141 for ; Fri, 18 Feb 2022 13:41:47 +0100 (CET) Received: by mail-wr1-f49.google.com with SMTP id f3so14233795wrh.7 for ; Fri, 18 Feb 2022 04:41:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WNnHUWBlR4v649jNcPcJhb2VIj4IiDZV5sJlyLgLqMg=; b=lXkW280H1lLapCyQ/63GZqmTBzlBP3HWB/BbI7gB3SGFpDVC1aLUwa/Y2QuGFZe7Dc tPblesmXVCArWRnjlAxis0Y5bRVjFfyz8K2TOGXPfEUv30RVDgB8FMv1sC9SKMnURTPJ XW57uTwFRTxhHv5Z+QLSjmwR6mo3De8fHriNNcE9bIgCUSzFm2/blhm9VT/J8EuYag8q 6bbmb4FCIPuEuF2/ELaeH/czSb2kGd+s6Q35228nwdISqeR8eECgBKvHhwyPzFF1INq3 7zyIuhGiVYx7DiEGfW2dqJ+ICzj77L2niRUNp644/nvOJVddWvGEf6I6QdbV0rKY6xCR MJ3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WNnHUWBlR4v649jNcPcJhb2VIj4IiDZV5sJlyLgLqMg=; b=3FbsBYJz3APyRfN6BYtYEIyDIx3KvV8GdBFBf+7PKXypk9hvvIcXEknYyNMJjXfQmE zHJFQ2Sklgr2ZyBj7+iJSmEM82MSC7JI3G3eWt7QM4RHKHAGALVfqSSlm/dPTb1HT8yf e2ORnQyfFMcwBW1kMNlJ0fNKvjqLXIp6nVsY8QUGpgSIoeZ8/qIDqvaO1OLIKUW47qMd SwWWgF/p/3gI9yCK459gGTbT1P8y3q2cC/Iu33r0m7IGY7+cY67MihFIfwmbVNzixQpQ 7CC4Nlg/8S3OyI2PDySJs0RSzr2EIE2ExoVGYSN9gDOxMvqwZRw2lT048y4X1o1X+TVv ly+Q== X-Gm-Message-State: AOAM532lLUFBlDxDprrzVd51ooW9bpcW+EAWPHZ53JWiCs7+uTzfhBlt re60gB7onJB/75Vrxm3MYL73qN7GxrkcffuA X-Google-Smtp-Source: ABdhPJziq8p4X865svJm/XV55AieJzsAEz+4lPWWkmhAbSzUESWWrdurSCQa5e/c84yHWg3AgPOtMA== X-Received: by 2002:a5d:4812:0:b0:1e3:11c0:156a with SMTP id l18-20020a5d4812000000b001e311c0156amr5942700wrq.194.1645188106685; Fri, 18 Feb 2022 04:41:46 -0800 (PST) Received: from localhost ([2a01:4b00:f41a:3600:360b:9754:2e3a:c344]) by smtp.gmail.com with ESMTPSA id c13sm41558175wrv.24.2022.02.18.04.41.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Feb 2022 04:41:46 -0800 (PST) From: luca.boccassi@gmail.com To: Rahul Lakkireddy Cc: Ferruh Yigit , dpdk stable Subject: patch 'net/cxgbe: fix dangling pointer by mailbox access rework' has been queued to stable release 20.11.5 Date: Fri, 18 Feb 2022 12:38:11 +0000 Message-Id: <20220218123931.1749595-42-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220218123931.1749595-1-luca.boccassi@gmail.com> References: <20220218123931.1749595-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 20.11.5 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 02/20/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/b5b90b6ea320c8e7bdd486c288f89cee647920bf Thanks. Luca Boccassi --- >From b5b90b6ea320c8e7bdd486c288f89cee647920bf Mon Sep 17 00:00:00 2001 From: Rahul Lakkireddy Date: Thu, 20 Jan 2022 03:26:40 +0530 Subject: [PATCH] net/cxgbe: fix dangling pointer by mailbox access rework MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ upstream commit 19cafed99ac573662045424e559cee444c175b63 ] Rework mailbox access serialization to dynamically allocate and free mbox entry. Also remove unnecessary temp memory and macros. Observed with: gcc-12.0 (GCC) 12.0.1 20220118 (experimental) In file included from ../lib/eal/linux/include/rte_os.h:14, from ../lib/eal/include/rte_common.h:28, from ../lib/eal/include/rte_log.h:25, from ../lib/ethdev/rte_ethdev.h:164, from ../lib/ethdev/ethdev_driver.h:18, from ../drivers/net/cxgbe/base/t4vf_hw.c:6: In function ‘t4_os_atomic_add_tail’, inlined from ‘t4vf_wr_mbox_core’ at ../drivers/net/cxgbe/base/t4vf_hw.c:115:2: ../drivers/net/cxgbe/base/adapter.h:742:9: warning: storing the address of local variable ‘entry’ in ‘((struct mbox_list *)adapter)[96].tqh_last’ [-Wdangling-pointer=] 742 | TAILQ_INSERT_TAIL(head, entry, next); | ^~~~~~~~~~~~~~~~~ ../drivers/net/cxgbe/base/t4vf_hw.c: In function ‘t4vf_wr_mbox_core’: ../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘entry’ declared here 86 | struct mbox_entry entry; | ^~~~~ ../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘adapter’ declared here Fixes: 3bd122eef2cc ("cxgbe/base: add hardware API for Chelsio T5 series adapters") Reported-by: Ferruh Yigit Signed-off-by: Rahul Lakkireddy --- drivers/net/cxgbe/base/adapter.h | 2 - drivers/net/cxgbe/base/t4_hw.c | 83 ++++++++++++-------------------- drivers/net/cxgbe/base/t4vf_hw.c | 28 +++++++---- 3 files changed, 49 insertions(+), 64 deletions(-) diff --git a/drivers/net/cxgbe/base/adapter.h b/drivers/net/cxgbe/base/adapter.h index 6ff009a5f6..5de41110eb 100644 --- a/drivers/net/cxgbe/base/adapter.h +++ b/drivers/net/cxgbe/base/adapter.h @@ -297,8 +297,6 @@ struct sge { u32 fl_starve_thres; /* Free List starvation threshold */ }; -#define T4_OS_NEEDS_MBOX_LOCKING 1 - /* * OS Lock/List primitives for those interfaces in the Common Code which * need this. diff --git a/drivers/net/cxgbe/base/t4_hw.c b/drivers/net/cxgbe/base/t4_hw.c index 9217956b42..aa839cc1d3 100644 --- a/drivers/net/cxgbe/base/t4_hw.c +++ b/drivers/net/cxgbe/base/t4_hw.c @@ -264,17 +264,6 @@ static void fw_asrt(struct adapter *adap, u32 mbox_addr) #define X_CIM_PF_NOACCESS 0xeeeeeeee -/* - * If the Host OS Driver needs locking arround accesses to the mailbox, this - * can be turned on via the T4_OS_NEEDS_MBOX_LOCKING CPP define ... - */ -/* makes single-statement usage a bit cleaner ... */ -#ifdef T4_OS_NEEDS_MBOX_LOCKING -#define T4_OS_MBOX_LOCKING(x) x -#else -#define T4_OS_MBOX_LOCKING(x) do {} while (0) -#endif - /** * t4_wr_mbox_meat_timeout - send a command to FW through the given mailbox * @adap: the adapter @@ -315,28 +304,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, 1, 1, 3, 5, 10, 10, 20, 50, 100 }; - u32 v; - u64 res; - int i, ms; - unsigned int delay_idx; - __be64 *temp = (__be64 *)malloc(size * sizeof(char)); - __be64 *p = temp; u32 data_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_DATA); u32 ctl_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_CTRL); - u32 ctl; - struct mbox_entry entry; - u32 pcie_fw = 0; + struct mbox_entry *entry; + u32 v, ctl, pcie_fw = 0; + unsigned int delay_idx; + const __be64 *p; + int i, ms, ret; + u64 res; - if (!temp) - return -ENOMEM; - - if ((size & 15) || size > MBOX_LEN) { - free(temp); + if ((size & 15) != 0 || size > MBOX_LEN) return -EINVAL; - } - - memset(p, 0, size); - memcpy(p, (const __be64 *)cmd, size); /* * If we have a negative timeout, that implies that we can't sleep. @@ -346,14 +324,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, timeout = -timeout; } -#ifdef T4_OS_NEEDS_MBOX_LOCKING + entry = t4_os_alloc(sizeof(*entry)); + if (entry == NULL) + return -ENOMEM; + /* * Queue ourselves onto the mailbox access list. When our entry is at * the front of the list, we have rights to access the mailbox. So we * wait [for a while] till we're at the front [or bail out with an * EBUSY] ... */ - t4_os_atomic_add_tail(&entry, &adap->mbox_list, &adap->mbox_lock); + t4_os_atomic_add_tail(entry, &adap->mbox_list, &adap->mbox_lock); delay_idx = 0; ms = delay[0]; @@ -368,18 +349,18 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, */ pcie_fw = t4_read_reg(adap, A_PCIE_FW); if (i > 4 * timeout || (pcie_fw & F_PCIE_FW_ERR)) { - t4_os_atomic_list_del(&entry, &adap->mbox_list, + t4_os_atomic_list_del(entry, &adap->mbox_list, &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -EBUSY; + ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -EBUSY; + goto out_free; } /* * If we're at the head, break out and start the mailbox * protocol. */ - if (t4_os_list_first_entry(&adap->mbox_list) == &entry) + if (t4_os_list_first_entry(&adap->mbox_list) == entry) break; /* @@ -394,7 +375,6 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, rte_delay_ms(ms); } } -#endif /* T4_OS_NEEDS_MBOX_LOCKING */ /* * Attempt to gain access to the mailbox. @@ -411,12 +391,11 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, * mailbox atomic access list and report the error to our caller. */ if (v != X_MBOWNER_PL) { - T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry, - &adap->mbox_list, - &adap->mbox_lock)); + t4_os_atomic_list_del(entry, &adap->mbox_list, + &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (v == X_MBOWNER_FW ? -EBUSY : -ETIMEDOUT); + ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT; + goto out_free; } /* @@ -442,7 +421,7 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, /* * Copy in the new mailbox command and send it on its way ... */ - for (i = 0; i < size; i += 8, p++) + for (i = 0, p = cmd; i < size; i += 8, p++) t4_write_reg64(adap, data_reg + i, be64_to_cpu(*p)); CXGBE_DEBUG_MBOX(adap, "%s: mbox %u: %016llx %016llx %016llx %016llx " @@ -513,11 +492,10 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, get_mbox_rpl(adap, rpl, size / 8, data_reg); } t4_write_reg(adap, ctl_reg, V_MBOWNER(X_MBOWNER_NONE)); - T4_OS_MBOX_LOCKING( - t4_os_atomic_list_del(&entry, &adap->mbox_list, - &adap->mbox_lock)); - free(temp); - return -G_FW_CMD_RETVAL((int)res); + t4_os_atomic_list_del(entry, &adap->mbox_list, + &adap->mbox_lock); + ret = -G_FW_CMD_RETVAL((int)res); + goto out_free; } } @@ -528,12 +506,13 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, */ dev_err(adap, "command %#x in mailbox %d timed out\n", *(const u8 *)cmd, mbox); - T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry, - &adap->mbox_list, - &adap->mbox_lock)); + t4_os_atomic_list_del(entry, &adap->mbox_list, &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -ETIMEDOUT; + ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -ETIMEDOUT; + +out_free: + t4_os_free(entry); + return ret; } int t4_wr_mbox_meat(struct adapter *adap, int mbox, const void *cmd, int size, diff --git a/drivers/net/cxgbe/base/t4vf_hw.c b/drivers/net/cxgbe/base/t4vf_hw.c index 649bacfb25..7e323d9b66 100644 --- a/drivers/net/cxgbe/base/t4vf_hw.c +++ b/drivers/net/cxgbe/base/t4vf_hw.c @@ -83,7 +83,7 @@ int t4vf_wr_mbox_core(struct adapter *adapter, u32 mbox_ctl = T4VF_CIM_BASE_ADDR + A_CIM_VF_EXT_MAILBOX_CTRL; __be64 cmd_rpl[MBOX_LEN / 8]; - struct mbox_entry entry; + struct mbox_entry *entry; unsigned int delay_idx; u32 v, mbox_data; const __be64 *p; @@ -106,13 +106,17 @@ int t4vf_wr_mbox_core(struct adapter *adapter, size > NUM_CIM_VF_MAILBOX_DATA_INSTANCES * 4) return -EINVAL; + entry = t4_os_alloc(sizeof(*entry)); + if (entry == NULL) + return -ENOMEM; + /* * Queue ourselves onto the mailbox access list. When our entry is at * the front of the list, we have rights to access the mailbox. So we * wait [for a while] till we're at the front [or bail out with an * EBUSY] ... */ - t4_os_atomic_add_tail(&entry, &adapter->mbox_list, &adapter->mbox_lock); + t4_os_atomic_add_tail(entry, &adapter->mbox_list, &adapter->mbox_lock); delay_idx = 0; ms = delay[0]; @@ -125,17 +129,17 @@ int t4vf_wr_mbox_core(struct adapter *adapter, * contend on access to the mailbox ... */ if (i > (2 * FW_CMD_MAX_TIMEOUT)) { - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = -EBUSY; - return ret; + goto out_free; } /* * If we're at the head, break out and start the mailbox * protocol. */ - if (t4_os_list_first_entry(&adapter->mbox_list) == &entry) + if (t4_os_list_first_entry(&adapter->mbox_list) == entry) break; /* @@ -160,10 +164,10 @@ int t4vf_wr_mbox_core(struct adapter *adapter, v = G_MBOWNER(t4_read_reg(adapter, mbox_ctl)); if (v != X_MBOWNER_PL) { - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT; - return ret; + goto out_free; } /* @@ -224,7 +228,7 @@ int t4vf_wr_mbox_core(struct adapter *adapter, get_mbox_rpl(adapter, cmd_rpl, size / 8, mbox_data); t4_write_reg(adapter, mbox_ctl, V_MBOWNER(X_MBOWNER_NONE)); - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); /* return value in high-order host-endian word */ @@ -236,7 +240,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter, & F_FW_CMD_REQUEST) == 0); memcpy(rpl, cmd_rpl, size); } - return -((int)G_FW_CMD_RETVAL(v)); + ret = -((int)G_FW_CMD_RETVAL(v)); + goto out_free; } } @@ -246,8 +251,11 @@ int t4vf_wr_mbox_core(struct adapter *adapter, dev_err(adapter, "command %#x timed out\n", *(const u8 *)cmd); dev_err(adapter, " Control = %#x\n", t4_read_reg(adapter, mbox_ctl)); - t4_os_atomic_list_del(&entry, &adapter->mbox_list, &adapter->mbox_lock); + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = -ETIMEDOUT; + +out_free: + t4_os_free(entry); return ret; } -- 2.30.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-02-18 12:37:39.709625492 +0000 +++ 0042-net-cxgbe-fix-dangling-pointer-by-mailbox-access-rew.patch 2022-02-18 12:37:37.650791026 +0000 @@ -1 +1 @@ -From 19cafed99ac573662045424e559cee444c175b63 Mon Sep 17 00:00:00 2001 +From b5b90b6ea320c8e7bdd486c288f89cee647920bf Mon Sep 17 00:00:00 2001 @@ -8,0 +9,2 @@ +[ upstream commit 19cafed99ac573662045424e559cee444c175b63 ] + @@ -35 +36,0 @@ -Cc: stable@dpdk.org @@ -46 +47 @@ -index 1c7c8afe16..97963422bf 100644 +index 6ff009a5f6..5de41110eb 100644 @@ -49 +50 @@ -@@ -291,8 +291,6 @@ struct sge { +@@ -297,8 +297,6 @@ struct sge { @@ -59 +60 @@ -index cdcd7e5510..645833765a 100644 +index 9217956b42..aa839cc1d3 100644 @@ -62 +63 @@ -@@ -263,17 +263,6 @@ static void fw_asrt(struct adapter *adap, u32 mbox_addr) +@@ -264,17 +264,6 @@ static void fw_asrt(struct adapter *adap, u32 mbox_addr) @@ -80 +81 @@ -@@ -314,28 +303,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -315,28 +304,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -116 +117 @@ -@@ -345,14 +323,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -346,14 +324,17 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -136 +137 @@ -@@ -367,18 +348,18 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -368,18 +349,18 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -159 +160 @@ -@@ -393,7 +374,6 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -394,7 +375,6 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -167 +168 @@ -@@ -410,12 +390,11 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -411,12 +391,11 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -184 +185 @@ -@@ -441,7 +420,7 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -442,7 +421,7 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -193 +194 @@ -@@ -512,11 +491,10 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -513,11 +492,10 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -209 +210 @@ -@@ -527,12 +505,13 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, +@@ -528,12 +506,13 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, @@ -229 +230 @@ -index 561d759dbc..7dbd4deb79 100644 +index 649bacfb25..7e323d9b66 100644