| Message ID | 20231129095241.31302-2-wahrenst@gmx.net (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | qca_spi: collection of major fixes | expand |
On Wed, 29 Nov 2023 10:52:39 +0100 Stefan Wahren wrote: > The qca_spi driver stop and restart the SPI kernel thread > (via ndo_stop & ndo_open) in case of TX ring changes. This is > a big issue because it allows userspace to prevent restart of > the SPI kernel thread (via signals). A subsequent change of > TX ring wrongly assume a valid spi_thread pointer which result > in a crash. > > So prevent this by stopping the network queue and temporary park > the SPI thread. Because this could happen during transmission > we also need to call qcaspi_flush_tx_ring(). > > Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") > Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Still looks a bit racy. > diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c > index 6f2fa2a42770..9777dbb17ac2 100644 > --- a/drivers/net/ethernet/qualcomm/qca_debug.c > +++ b/drivers/net/ethernet/qualcomm/qca_debug.c > @@ -263,22 +263,29 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring, > struct kernel_ethtool_ringparam *kernel_ring, > struct netlink_ext_ack *extack) > { > - const struct net_device_ops *ops = dev->netdev_ops; > struct qcaspi *qca = netdev_priv(dev); > + bool queue_active = !netif_queue_stopped(dev); nothing prevents stopped -> running or running -> stopped transitions at this point, so this check can be meaningful > if ((ring->rx_pending) || > (ring->rx_mini_pending) || > (ring->rx_jumbo_pending)) > return -EINVAL; > > - if (netif_running(dev)) > - ops->ndo_stop(dev); > + if (queue_active) > + netif_stop_queue(dev); This doesn't wait for xmit to finish, it just sets a bit. You probably want something like netif_tx_disable(). Also - the thread may still be running and wake the queue up right after we stop it.
diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c index 6f2fa2a42770..9777dbb17ac2 100644 --- a/drivers/net/ethernet/qualcomm/qca_debug.c +++ b/drivers/net/ethernet/qualcomm/qca_debug.c @@ -263,22 +263,29 @@ qcaspi_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ring, struct kernel_ethtool_ringparam *kernel_ring, struct netlink_ext_ack *extack) { - const struct net_device_ops *ops = dev->netdev_ops; struct qcaspi *qca = netdev_priv(dev); + bool queue_active = !netif_queue_stopped(dev); if ((ring->rx_pending) || (ring->rx_mini_pending) || (ring->rx_jumbo_pending)) return -EINVAL; - if (netif_running(dev)) - ops->ndo_stop(dev); + if (queue_active) + netif_stop_queue(dev); + if (qca->spi_thread) + kthread_park(qca->spi_thread); + + qcaspi_flush_tx_ring(qca); qca->txr.count = max_t(u32, ring->tx_pending, TX_RING_MIN_LEN); qca->txr.count = min_t(u16, qca->txr.count, TX_RING_MAX_LEN); - if (netif_running(dev)) - ops->ndo_open(dev); + if (qca->spi_thread) + kthread_unpark(qca->spi_thread); + + if (queue_active) + netif_wake_queue(dev); return 0; } diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c index bec723028e96..78317b85ad30 100644 --- a/drivers/net/ethernet/qualcomm/qca_spi.c +++ b/drivers/net/ethernet/qualcomm/qca_spi.c @@ -467,7 +467,7 @@ qcaspi_tx_ring_has_space(struct tx_ring *txr) * call from the qcaspi_spi_thread. */ -static void +void qcaspi_flush_tx_ring(struct qcaspi *qca) { int i; @@ -580,6 +580,11 @@ qcaspi_spi_thread(void *data) netdev_info(qca->net_dev, "SPI thread created\n"); while (!kthread_should_stop()) { set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_park()) { + kthread_parkme(); + continue; + } + if ((qca->intr_req == qca->intr_svc) && !qca->txr.skb[qca->txr.head]) schedule(); diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h index 3067356106f0..95d7306e58e9 100644 --- a/drivers/net/ethernet/qualcomm/qca_spi.h +++ b/drivers/net/ethernet/qualcomm/qca_spi.h @@ -107,4 +107,6 @@ struct qcaspi { u16 burst_len; }; +void qcaspi_flush_tx_ring(struct qcaspi *qca); + #endif /* _QCA_SPI_H */
The qca_spi driver stop and restart the SPI kernel thread (via ndo_stop & ndo_open) in case of TX ring changes. This is a big issue because it allows userspace to prevent restart of the SPI kernel thread (via signals). A subsequent change of TX ring wrongly assume a valid spi_thread pointer which result in a crash. So prevent this by stopping the network queue and temporary park the SPI thread. Because this could happen during transmission we also need to call qcaspi_flush_tx_ring(). Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") Signed-off-by: Stefan Wahren <wahrenst@gmx.net> --- drivers/net/ethernet/qualcomm/qca_debug.c | 17 ++++++++++++----- drivers/net/ethernet/qualcomm/qca_spi.c | 7 ++++++- drivers/net/ethernet/qualcomm/qca_spi.h | 2 ++ 3 files changed, 20 insertions(+), 6 deletions(-) -- 2.34.1