| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CY5PR11MB63665172F7608BD64E8BCF27ED692@CY5PR11MB6366.namprd11.prod.outlook.com>
Date: Wed, 25 Sep 2024 10:30:03 +0000
From: "Usyskin, Alexander" <alexander.usyskin@...el.com>
To: Rohit Agarwal <rohiagar@...omium.org>, "Winkler, Tomas"
<tomas.winkler@...el.com>, Arnd Bergmann <arnd@...db.de>, Greg Kroah-Hartman
<gregkh@...uxfoundation.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "Lubart,
Vitaly" <vitaly.lubart@...el.com>
Subject: RE: [RFC] Order 4 allocation failures in the MEI client driver
> On 23/08/24 2:30 AM, Winkler, Tomas wrote:
> >>>> On Wed, Aug 21, 2024, at 05:20, Rohit Agarwal wrote:
> >>>>> On 19/08/24 6:45 PM, Arnd Bergmann wrote:
> >>>>>> On Tue, Aug 13, 2024, at 10:45, Rohit Agarwal wrote:
> >>>>>>
> >>>>>> What is the call chain you see in the kernel messages? Is it
> >>>>>> always the same?
> >>>>> Yes the call stack is same everytime. This is the call stack
> >>>>>
> >>>>> <4>[ 2019.101352] dump_stack_lvl+0x69/0xa0 <4>[ 2019.101359]
> >>>>> warn_alloc+0x10d/0x180 <4>[ 2019.101363]
> >>>>> __alloc_pages_slowpath+0xe3d/0xe80
> >>>>> <4>[ 2019.101366] __alloc_pages+0x22f/0x2b0 <4>[ 2019.101369]
> >>>>> __kmalloc_large_node+0x9d/0x120 <4>[ 2019.101373] ?
> >>>>> mei_cl_alloc_cb+0x34/0xa0 <4>[ 2019.101377] ?
> >>>>> mei_cl_alloc_cb+0x74/0xa0 <4>[ 2019.101379] __kmalloc+0x86/0x130
> >>>>> <4>[ 2019.101382] mei_cl_alloc_cb+0x74/0xa0 <4>[ 2019.101385]
> >>>>> mei_cl_enqueue_ctrl_wr_cb+0x38/0x90
> >>>> Ok, so this might be a result of mei_cl_enqueue_ctrl_wr_cb() doing
> >>>>
> >>>> /* for RX always allocate at least client's mtu */
> >>>> if (length)
> >>>> length = max_t(size_t, length, mei_cl_mtu(cl));
> >>>>
> >>>> which was added in 3030dc056459 ("mei: add wrapper for queuing
> >>>> control commands."). All the callers seem to be passing a short
> >>>> "length" of just a few bytes, but this would always extend it to
> >>>> cl->me_cl->props.max_msg_length in mei_cl_mtu().
> >>>>
> >>>> Not sure where that part is set.
> >>> It's allocating maximum header for receiving buffer so it can
> >>> accommodate any response.
> >>> Looks like this part can be optimized with pre allocated buffer pool.
> >> I understand that it's always trying to allocate the maximum, the question
> is
> >> whether there is ever a need to set the maximum to more than a page.
> Pre-
> >> allocating a buffer at probe time would also address the issue, but if it's
> >> possible to just make that buffer smaller, it wouldn't be needed.
> >>
> >> Is the 64KB buffer size part of the Chrome specific interface as well, or is
> that
> >> part of the upstream kernel implementation?
> > The upstream solution is for newer graphics cards and overall
> implementation is different.
> > I'm trying to collect more information myself, it's summer vacation time, so
> it will take few days.
> > Thanks
> > Tomas
> >
> A gentle reminder.
>
> Thanks,
> Rohit.
The FW guy say that the biggest buffer there is 33K, and this is already order 4 allocation.
Thus, the MTU size can't be reduced.
The only thing that we can do is to ask pxp to send to mei expected message size and
mei will allocate only that size. This can lead to unexpected behaviour in driver
when FW sends more data then expected by pxp.
This still may fail on big buffer requested by pxp, not sure what is the real message
that Linux pxp module is using.
Is this error can be eliminated by retry from PXP side?
--
Alexander (Sasha) Usyskin
CSE FW Dev – Host SW
Intel Israel (74) Limited
Powered by blists - more mailing lists