diff mbox series

[1/2] net: ll_temac: fix DMA resources leak

Message ID 20230126101607.88407-1-jsc@umbraculum.org (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [1/2] net: ll_temac: fix DMA resources leak | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit fail Errors and warnings before: 29 this patch: 30
netdev/cc_maintainers warning 3 maintainers not CCed: huangjunxian6@hisilicon.com xuhaoyue1@hisilicon.com harini.katakam@amd.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn fail Errors and warnings before: 29 this patch: 30
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 22 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Jonas Suhr Christensen Jan. 26, 2023, 10:16 a.m. UTC 
Add missing conversion of address when unmapping dma region causing
unmapping to silently fail. At some point resulting in buffer
overrun eg. when releasing device.

Signed-off-by: Jonas Suhr Christensen <jsc@umbraculum.org>
---
 drivers/net/ethernet/xilinx/ll_temac_main.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Jakub Kicinski Jan. 28, 2023, 7:20 a.m. UTC | #1 
On Thu, 26 Jan 2023 11:16:06 +0100 Jonas Suhr Christensen wrote:
> Add missing conversion of address when unmapping dma region causing
> unmapping to silently fail. At some point resulting in buffer
> overrun eg. when releasing device.

Could you add a Fixes tag pointing to the commit which introduced 
the bug? It will help the stable teams backport the patch.

When reposting please put [PATCH net v2] as the prefix (noting 
the target tree for the benefit of bots/CIs).

> Signed-off-by: Jonas Suhr Christensen <jsc@umbraculum.org>
> ---
>  drivers/net/ethernet/xilinx/ll_temac_main.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
> index 1066420d6a83..66c04027f230 100644
> --- a/drivers/net/ethernet/xilinx/ll_temac_main.c
> +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
> @@ -300,6 +300,7 @@ static void temac_dma_bd_release(struct net_device *ndev)
>  {
>  	struct temac_local *lp = netdev_priv(ndev);
>  	int i;
> +	struct cdmac_bd *bd;

nit: we like variable declarations longest to shortest in networking
 so before the int i; pls

>  	/* Reset Local Link (DMA) */
>  	lp->dma_out(lp, DMA_CONTROL_REG, DMA_CONTROL_RST);
Esben Haabendal Jan. 30, 2023, 12:30 p.m. UTC | #2 
Jakub Kicinski <kuba@kernel.org> writes:

> On Thu, 26 Jan 2023 11:16:06 +0100 Jonas Suhr Christensen wrote:
>> Add missing conversion of address when unmapping dma region causing
>> unmapping to silently fail. At some point resulting in buffer
>> overrun eg. when releasing device.
>
> Could you add a Fixes tag pointing to the commit which introduced 
> the bug? It will help the stable teams backport the patch.

Fixes: fdd7454ecb29 ("net: ll_temac: Fix support for little-endian platforms")

> When reposting please put [PATCH net v2] as the prefix (noting 
> the target tree for the benefit of bots/CIs).
>
>> Signed-off-by: Jonas Suhr Christensen <jsc@umbraculum.org>
>> ---
>>  drivers/net/ethernet/xilinx/ll_temac_main.c | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
>> index 1066420d6a83..66c04027f230 100644
>> --- a/drivers/net/ethernet/xilinx/ll_temac_main.c
>> +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
>> @@ -300,6 +300,7 @@ static void temac_dma_bd_release(struct net_device *ndev)
>>  {
>>  	struct temac_local *lp = netdev_priv(ndev);
>>  	int i;
>> +	struct cdmac_bd *bd;
>
> nit: we like variable declarations longest to shortest in networking
>  so before the int i; pls
>
>>  	/* Reset Local Link (DMA) */
>>  	lp->dma_out(lp, DMA_CONTROL_REG, DMA_CONTROL_RST);
Christophe JAILLET Jan. 30, 2023, 9:56 p.m. UTC | #3 
Le 26/01/2023 à 11:16, Jonas Suhr Christensen a écrit :
> Add missing conversion of address when unmapping dma region causing
> unmapping to silently fail. At some point resulting in buffer
> overrun eg. when releasing device.
> 
> Signed-off-by: Jonas Suhr Christensen <jsc@umbraculum.org>
> ---
>   drivers/net/ethernet/xilinx/ll_temac_main.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
> index 1066420d6a83..66c04027f230 100644
> --- a/drivers/net/ethernet/xilinx/ll_temac_main.c
> +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
> @@ -300,6 +300,7 @@ static void temac_dma_bd_release(struct net_device *ndev)
>   {
>   	struct temac_local *lp = netdev_priv(ndev);
>   	int i;
> +	struct cdmac_bd *bd;
>   
>   	/* Reset Local Link (DMA) */
>   	lp->dma_out(lp, DMA_CONTROL_REG, DMA_CONTROL_RST);
> @@ -307,9 +308,14 @@ static void temac_dma_bd_release(struct net_device *ndev)
>   	for (i = 0; i < lp->rx_bd_num; i++) {
>   		if (!lp->rx_skb[i])
>   			break;
> -		dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
> +
> +		bd = &lp->rx_bd_v[1];

Hi,
just a naive question from s.o. who knows nothing of this code:

Is really [1] ([one]) expected here?
[i] would look more "standard" in a 'for' loop.

just my 2c,

CJ


> +		dma_unmap_single(ndev->dev.parent, be32_to_cpu(bd->phys),
>   				 XTE_MAX_JUMBO_FRAME_SIZE, DMA_FROM_DEVICE);
> +		bd->phys = 0;
> +		bd->len = 0;
>   		dev_kfree_skb(lp->rx_skb[i]);
> +		lp->rx_skb[i] = NULL;
>   	}
>   	if (lp->rx_bd_v)
>   		dma_free_coherent(ndev->dev.parent,
Jakub Kicinski Jan. 31, 2023, 12:20 a.m. UTC | #4 
On Mon, 30 Jan 2023 22:56:04 +0100 Christophe JAILLET wrote:
> > -		dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
> > +
> > +		bd = &lp->rx_bd_v[1];  
> 
> Hi,
> just a naive question from s.o. who knows nothing of this code:
> 
> Is really [1] ([one]) expected here?
> [i] would look more "standard" in a 'for' loop.

Wow, good eye.
diff mbox series

Patch

diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
index 1066420d6a83..66c04027f230 100644
--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
+++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
@@ -300,6 +300,7 @@  static void temac_dma_bd_release(struct net_device *ndev)
 {
 	struct temac_local *lp = netdev_priv(ndev);
 	int i;
+	struct cdmac_bd *bd;
 
 	/* Reset Local Link (DMA) */
 	lp->dma_out(lp, DMA_CONTROL_REG, DMA_CONTROL_RST);
@@ -307,9 +308,14 @@  static void temac_dma_bd_release(struct net_device *ndev)
 	for (i = 0; i < lp->rx_bd_num; i++) {
 		if (!lp->rx_skb[i])
 			break;
-		dma_unmap_single(ndev->dev.parent, lp->rx_bd_v[i].phys,
+
+		bd = &lp->rx_bd_v[1];
+		dma_unmap_single(ndev->dev.parent, be32_to_cpu(bd->phys),
 				 XTE_MAX_JUMBO_FRAME_SIZE, DMA_FROM_DEVICE);
+		bd->phys = 0;
+		bd->len = 0;
 		dev_kfree_skb(lp->rx_skb[i]);
+		lp->rx_skb[i] = NULL;
 	}
 	if (lp->rx_bd_v)
 		dma_free_coherent(ndev->dev.parent,