From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 836D0A034E for ; Mon, 21 Feb 2022 16:39:04 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7E8574068C; Mon, 21 Feb 2022 16:39:04 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mails.dpdk.org (Postfix) with ESMTP id 9069E41147 for ; Mon, 21 Feb 2022 16:39:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645457942; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=30+9qzUiIJCu4hiHGVaHv2bQ+3nUbv6POviqnKrPPBU=; b=UkeJAW1qvhMTUHysP8fjz2IeEB99unctpAr067NDVp1Nq2bn6/JEs4GzM2FD6DmxqtS/6C i9p7/Lt0pStn6sxd+Xq3xP8YH7PAIi46K41zMvcZrqN4mt86SQHrJauRZegHZwQyiF5PF4 meD53D4Ybr8ITZZ5Hid44gMITVlkkJ4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-496-Ye0AYsKxOH6wCAf1df1_EQ-1; Mon, 21 Feb 2022 10:38:58 -0500 X-MC-Unique: Ye0AYsKxOH6wCAf1df1_EQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9F5BB184608A; Mon, 21 Feb 2022 15:38:57 +0000 (UTC) Received: from rh.Home (unknown [10.39.195.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9459178DDE; Mon, 21 Feb 2022 15:38:56 +0000 (UTC) From: Kevin Traynor To: Rahul Lakkireddy Cc: Ferruh Yigit , dpdk stable Subject: patch 'net/cxgbe: fix dangling pointer by mailbox access rework' has been queued to stable release 21.11.1 Date: Mon, 21 Feb 2022 15:34:23 +0000 Message-Id: <20220221153625.152324-74-ktraynor@redhat.com> In-Reply-To: <20220221153625.152324-1-ktraynor@redhat.com> References: <20220221153625.152324-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ktraynor@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 02/26/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/699c30f8534c136926df9b6fb5b97ed06c1f34a0 Thanks. Kevin --- >From 699c30f8534c136926df9b6fb5b97ed06c1f34a0 Mon Sep 17 00:00:00 2001 From: Rahul Lakkireddy Date: Thu, 20 Jan 2022 03:26:40 +0530 Subject: [PATCH] net/cxgbe: fix dangling pointer by mailbox access rework MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ upstream commit 19cafed99ac573662045424e559cee444c175b63 ] Rework mailbox access serialization to dynamically allocate and free mbox entry. Also remove unnecessary temp memory and macros. Observed with: gcc-12.0 (GCC) 12.0.1 20220118 (experimental) In file included from ../lib/eal/linux/include/rte_os.h:14, from ../lib/eal/include/rte_common.h:28, from ../lib/eal/include/rte_log.h:25, from ../lib/ethdev/rte_ethdev.h:164, from ../lib/ethdev/ethdev_driver.h:18, from ../drivers/net/cxgbe/base/t4vf_hw.c:6: In function ‘t4_os_atomic_add_tail’, inlined from ‘t4vf_wr_mbox_core’ at ../drivers/net/cxgbe/base/t4vf_hw.c:115:2: ../drivers/net/cxgbe/base/adapter.h:742:9: warning: storing the address of local variable ‘entry’ in ‘((struct mbox_list *)adapter)[96].tqh_last’ [-Wdangling-pointer=] 742 | TAILQ_INSERT_TAIL(head, entry, next); | ^~~~~~~~~~~~~~~~~ ../drivers/net/cxgbe/base/t4vf_hw.c: In function ‘t4vf_wr_mbox_core’: ../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘entry’ declared here 86 | struct mbox_entry entry; | ^~~~~ ../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘adapter’ declared here Fixes: 3bd122eef2cc ("cxgbe/base: add hardware API for Chelsio T5 series adapters") Reported-by: Ferruh Yigit Signed-off-by: Rahul Lakkireddy --- drivers/net/cxgbe/base/adapter.h | 2 - drivers/net/cxgbe/base/t4_hw.c | 83 ++++++++++++-------------------- drivers/net/cxgbe/base/t4vf_hw.c | 28 +++++++---- 3 files changed, 49 insertions(+), 64 deletions(-) diff --git a/drivers/net/cxgbe/base/adapter.h b/drivers/net/cxgbe/base/adapter.h index 1c7c8afe16..97963422bf 100644 --- a/drivers/net/cxgbe/base/adapter.h +++ b/drivers/net/cxgbe/base/adapter.h @@ -292,6 +292,4 @@ struct sge { }; -#define T4_OS_NEEDS_MBOX_LOCKING 1 - /* * OS Lock/List primitives for those interfaces in the Common Code which diff --git a/drivers/net/cxgbe/base/t4_hw.c b/drivers/net/cxgbe/base/t4_hw.c index cdcd7e5510..645833765a 100644 --- a/drivers/net/cxgbe/base/t4_hw.c +++ b/drivers/net/cxgbe/base/t4_hw.c @@ -264,15 +264,4 @@ static void fw_asrt(struct adapter *adap, u32 mbox_addr) #define X_CIM_PF_NOACCESS 0xeeeeeeee -/* - * If the Host OS Driver needs locking arround accesses to the mailbox, this - * can be turned on via the T4_OS_NEEDS_MBOX_LOCKING CPP define ... - */ -/* makes single-statement usage a bit cleaner ... */ -#ifdef T4_OS_NEEDS_MBOX_LOCKING -#define T4_OS_MBOX_LOCKING(x) x -#else -#define T4_OS_MBOX_LOCKING(x) do {} while (0) -#endif - /** * t4_wr_mbox_meat_timeout - send a command to FW through the given mailbox @@ -315,26 +304,15 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, }; - u32 v; - u64 res; - int i, ms; - unsigned int delay_idx; - __be64 *temp = (__be64 *)malloc(size * sizeof(char)); - __be64 *p = temp; u32 data_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_DATA); u32 ctl_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_CTRL); - u32 ctl; - struct mbox_entry entry; - u32 pcie_fw = 0; + struct mbox_entry *entry; + u32 v, ctl, pcie_fw = 0; + unsigned int delay_idx; + const __be64 *p; + int i, ms, ret; + u64 res; - if (!temp) - return -ENOMEM; - - if ((size & 15) || size > MBOX_LEN) { - free(temp); + if ((size & 15) != 0 || size > MBOX_LEN) return -EINVAL; - } - - memset(p, 0, size); - memcpy(p, (const __be64 *)cmd, size); /* @@ -346,5 +324,8 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, } -#ifdef T4_OS_NEEDS_MBOX_LOCKING + entry = t4_os_alloc(sizeof(*entry)); + if (entry == NULL) + return -ENOMEM; + /* * Queue ourselves onto the mailbox access list. When our entry is at @@ -353,5 +334,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, * EBUSY] ... */ - t4_os_atomic_add_tail(&entry, &adap->mbox_list, &adap->mbox_lock); + t4_os_atomic_add_tail(entry, &adap->mbox_list, &adap->mbox_lock); delay_idx = 0; @@ -368,9 +349,9 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, pcie_fw = t4_read_reg(adap, A_PCIE_FW); if (i > 4 * timeout || (pcie_fw & F_PCIE_FW_ERR)) { - t4_os_atomic_list_del(&entry, &adap->mbox_list, + t4_os_atomic_list_del(entry, &adap->mbox_list, &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -EBUSY; + ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -EBUSY; + goto out_free; } @@ -379,5 +360,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, * protocol. */ - if (t4_os_list_first_entry(&adap->mbox_list) == &entry) + if (t4_os_list_first_entry(&adap->mbox_list) == entry) break; @@ -394,5 +375,4 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, } } -#endif /* T4_OS_NEEDS_MBOX_LOCKING */ /* @@ -411,10 +391,9 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, */ if (v != X_MBOWNER_PL) { - T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry, - &adap->mbox_list, - &adap->mbox_lock)); + t4_os_atomic_list_del(entry, &adap->mbox_list, + &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (v == X_MBOWNER_FW ? -EBUSY : -ETIMEDOUT); + ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT; + goto out_free; } @@ -442,5 +421,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, * Copy in the new mailbox command and send it on its way ... */ - for (i = 0; i < size; i += 8, p++) + for (i = 0, p = cmd; i < size; i += 8, p++) t4_write_reg64(adap, data_reg + i, be64_to_cpu(*p)); @@ -513,9 +492,8 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, } t4_write_reg(adap, ctl_reg, V_MBOWNER(X_MBOWNER_NONE)); - T4_OS_MBOX_LOCKING( - t4_os_atomic_list_del(&entry, &adap->mbox_list, - &adap->mbox_lock)); - free(temp); - return -G_FW_CMD_RETVAL((int)res); + t4_os_atomic_list_del(entry, &adap->mbox_list, + &adap->mbox_lock); + ret = -G_FW_CMD_RETVAL((int)res); + goto out_free; } } @@ -528,10 +506,11 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox, dev_err(adap, "command %#x in mailbox %d timed out\n", *(const u8 *)cmd, mbox); - T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry, - &adap->mbox_list, - &adap->mbox_lock)); + t4_os_atomic_list_del(entry, &adap->mbox_list, &adap->mbox_lock); t4_report_fw_error(adap); - free(temp); - return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -ETIMEDOUT; + ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -ETIMEDOUT; + +out_free: + t4_os_free(entry); + return ret; } diff --git a/drivers/net/cxgbe/base/t4vf_hw.c b/drivers/net/cxgbe/base/t4vf_hw.c index 561d759dbc..7dbd4deb79 100644 --- a/drivers/net/cxgbe/base/t4vf_hw.c +++ b/drivers/net/cxgbe/base/t4vf_hw.c @@ -84,5 +84,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter, u32 mbox_ctl = T4VF_CIM_BASE_ADDR + A_CIM_VF_EXT_MAILBOX_CTRL; __be64 cmd_rpl[MBOX_LEN / 8]; - struct mbox_entry entry; + struct mbox_entry *entry; unsigned int delay_idx; u32 v, mbox_data; @@ -107,4 +107,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter, return -EINVAL; + entry = t4_os_alloc(sizeof(*entry)); + if (entry == NULL) + return -ENOMEM; + /* * Queue ourselves onto the mailbox access list. When our entry is at @@ -113,5 +117,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter, * EBUSY] ... */ - t4_os_atomic_add_tail(&entry, &adapter->mbox_list, &adapter->mbox_lock); + t4_os_atomic_add_tail(entry, &adapter->mbox_list, &adapter->mbox_lock); delay_idx = 0; @@ -126,8 +130,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter, */ if (i > (2 * FW_CMD_MAX_TIMEOUT)) { - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = -EBUSY; - return ret; + goto out_free; } @@ -136,5 +140,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter, * protocol. */ - if (t4_os_list_first_entry(&adapter->mbox_list) == &entry) + if (t4_os_list_first_entry(&adapter->mbox_list) == entry) break; @@ -161,8 +165,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter, if (v != X_MBOWNER_PL) { - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT; - return ret; + goto out_free; } @@ -225,5 +229,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter, t4_write_reg(adapter, mbox_ctl, V_MBOWNER(X_MBOWNER_NONE)); - t4_os_atomic_list_del(&entry, &adapter->mbox_list, + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); @@ -237,5 +241,6 @@ int t4vf_wr_mbox_core(struct adapter *adapter, memcpy(rpl, cmd_rpl, size); } - return -((int)G_FW_CMD_RETVAL(v)); + ret = -((int)G_FW_CMD_RETVAL(v)); + goto out_free; } } @@ -247,6 +252,9 @@ int t4vf_wr_mbox_core(struct adapter *adapter, *(const u8 *)cmd); dev_err(adapter, " Control = %#x\n", t4_read_reg(adapter, mbox_ctl)); - t4_os_atomic_list_del(&entry, &adapter->mbox_list, &adapter->mbox_lock); + t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock); ret = -ETIMEDOUT; + +out_free: + t4_os_free(entry); return ret; } -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-02-21 15:22:46.253703140 +0000 +++ 0074-net-cxgbe-fix-dangling-pointer-by-mailbox-access-rew.patch 2022-02-21 15:22:44.163704288 +0000 @@ -1 +1 @@ -From 19cafed99ac573662045424e559cee444c175b63 Mon Sep 17 00:00:00 2001 +From 699c30f8534c136926df9b6fb5b97ed06c1f34a0 Mon Sep 17 00:00:00 2001 @@ -8,0 +9,2 @@ +[ upstream commit 19cafed99ac573662045424e559cee444c175b63 ] + @@ -35 +36,0 @@ -Cc: stable@dpdk.org