lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210401193821.3fmfxvnpwzam7b6f@skbuf>
Date:   Thu, 1 Apr 2021 22:38:21 +0300
From:   Vladimir Oltean <olteanv@...il.com>
To:     Toke Høiland-Jørgensen <toke@...hat.com>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        John Fastabend <john.fastabend@...il.com>,
        Andrii Nakryiko <andrii@...nel.org>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        KP Singh <kpsingh@...nel.org>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
        bpf@...r.kernel.org, Alexander Duyck <alexander.duyck@...il.com>,
        Ioana Ciornei <ioana.ciornei@....com>,
        Alex Marginean <alexandru.marginean@....com>,
        Claudiu Manoil <claudiu.manoil@....com>,
        Ilias Apalodimas <ilias.apalodimas@...aro.org>,
        Vladimir Oltean <vladimir.oltean@....com>
Subject: Re: [PATCH net-next 9/9] net: enetc: add support for XDP_REDIRECT

On Thu, Apr 01, 2021 at 08:01:42PM +0200, Toke Høiland-Jørgensen wrote:
> Vladimir Oltean <olteanv@...il.com> writes:
> 
> > On Thu, Apr 01, 2021 at 01:39:05PM +0200, Toke Høiland-Jørgensen wrote:
> >> Vladimir Oltean <olteanv@...il.com> writes:
> >>
> >> > On Thu, Apr 01, 2021 at 01:26:02PM +0200, Toke Høiland-Jørgensen wrote:
> >> >> > +int enetc_xdp_xmit(struct net_device *ndev, int num_frames,
> >> >> > +		   struct xdp_frame **frames, u32 flags)
> >> >> > +{
> >> >> > +	struct enetc_tx_swbd xdp_redirect_arr[ENETC_MAX_SKB_FRAGS] = {0};
> >> >> > +	struct enetc_ndev_priv *priv = netdev_priv(ndev);
> >> >> > +	struct enetc_bdr *tx_ring;
> >> >> > +	int xdp_tx_bd_cnt, i, k;
> >> >> > +	int xdp_tx_frm_cnt = 0;
> >> >> > +
> >> >> > +	tx_ring = priv->tx_ring[smp_processor_id()];
> >> >>
> >> >> What mechanism guarantees that this won't overflow the array? :)
> >> >
> >> > Which array, the array of TX rings?
> >>
> >> Yes.
> >>
> >
> > The problem isn't even accessing an out-of-bounds element in the TX ring array.
> >
> > As it turns out, I had a relatively superficial understanding of how
> > things are organized, but let me try to explain.
> >
> > The number of TX rings is a configurable resource (between PFs and VFs)
> > and we read the capability at probe time:
> >
> > enetc_get_si_caps:
> > 	val = enetc_rd(hw, ENETC_SICAPR0);
> > 	si->num_rx_rings = (val >> 16) & 0xff;
> > 	si->num_tx_rings = val & 0xff;
> >
> > enetc_init_si_rings_params:
> > 	priv->num_tx_rings = si->num_tx_rings;
> >
> > In any case, the TX array is declared as:
> >
> > struct enetc_ndev_priv {
> > 	struct enetc_bdr *tx_ring[16];
> > 	struct enetc_bdr *rx_ring[16];
> > };
> >
> > because that's the maximum hardware capability.
> >
> > The priv->tx_ring array is populated in:
> >
> > enetc_alloc_msix:
> > 	/* # of tx rings per int vector */
> > 	v_tx_rings = priv->num_tx_rings / priv->bdr_int_num;
> >
> > 	for (i = 0; i < priv->bdr_int_num; i++) {
> > 		for (j = 0; j < v_tx_rings; j++) {
> > 			if (priv->bdr_int_num == ENETC_MAX_BDR_INT)
> > 				idx = 2 * j + i; /* 2 CPUs */
> > 			else
> > 				idx = j + i * v_tx_rings; /* default */
> >
> > 			priv->tx_ring[idx] = bdr;
> > 		}
> > 	}
> >
> > priv->bdr_int_num is set to "num_online_cpus()".
> > On LS1028A, it can be either 1 or 2 (and the ENETC_MAX_BDR_INT macro is
> > equal to 2).
> >
> > Otherwise said, the convoluted logic above does the following:
> > - It affines an MSI interrupt vector per CPU
> > - It affines an RX ring per MSI vector, hence per CPU
> > - It balances the fixed number of TX rings (say 8) among the available
> >   MSI vectors, hence CPUs (say 2). It does this by iterating with i
> >   through the RX MSI interrupt vectors, and with j through the number of
> >   TX rings per MSI vector.
> >
> > This logic maps:
> > - the even TX rings to CPU 0 and the odd TX rings to CPU 1, if 2 CPUs
> >   are used
> > - all TX rings to CPU 0, if 1 CPU is used
> >
> > This is done because we have this logic in enetc_poll:
> >
> > 	for (i = 0; i < v->count_tx_rings; i++)
> > 		if (!enetc_clean_tx_ring(&v->tx_ring[i], budget))
> > 			complete = false;
> >
> > for processing the TX completions of a given group of TX rings in the RX
> > MSI interrupt handler of a certain CPU.
> >
> > Otherwise said, priv->tx_ring[i] is always BD ring i, and that mapping
> > never changes. All 8 TX rings are enabled and available for use.
> >
> > What I knew about tc-taprio and tc-mqprio is that they only enqueue to
> > TX queues [0, num_tc-1] because of this, as it turns out:
> >
> > enetc_xmit:
> > 	tx_ring = priv->tx_ring[skb->queue_mapping];
> >
> > where skb->queue_mapping is given by:
> > 	err = netif_set_real_num_tx_queues(ndev, priv->num_tx_rings);
> > and by this, respectively, from the mqprio code path:
> > 	netif_set_real_num_tx_queues(ndev, num_tc);
> >
> > As for why XDP works, and priv->tx_ring[smp_processor_id()] is:
> > - TX ring 0 for CPU 0 and TX ring 1 for CPU 1, if 2 CPUs are used
> > - TX ring 0, if 1 CPU is used
> >
> > The TX completions in the first case are handled by:
> > - CPU 0 for TX ring 0 (because it is even) and CPU 1 for TX ring 1
> >   (because it is odd), if 2 CPUs are used, due to the mapping I talked
> >   about earlier
> > - CPU 0 if only 1 CPU is used
> 
> Right - thank you for the details! So what are the constraints on the
> configuration. Specifically, given two netdevs on the same device, is it
> possible that the system can ever end up in a situation where one device
> has two *RXQs* configured, and the other only one *TXQ*. Because then
> you could get a redirect from RXQ 1 on one device, which would also end
> up trying to transmit on TXQ 1 on the other device; and that would break
> if that other device only has TXQ 0 configured... Same thing if a single
> device has 2 RXQs but only one TXQ (it can redirect to itself).

I discover more and more of the driver as I talk to you, I like it :D

So I said that there is a maximum number of RX and TX rings splittable
between the PF and its VFs, but I wasn't exactly sure where that
configuration is done. I found it now.

enetc_port_si_configure: (SI == station interface)
	- read Port capability register 0 (PCAPR0) to determine how many
	  RX rings and TX rings the hardware has for this port (PFs + VFs)
	  in total.
	- assign num_rings = min(TX rings, RX rings)
	- try to assign 8 TX rings and 8 RX rings to the PF
	  - if this fails, just assign ${num_rings} TX rings and
	    ${num_rings} RX rings to the PF
	- split the remaining RX and TX rings to the number of
	  configured VFs (example: if there are 16 RX rings and 16 TX
	  rings for a port with 2 VFs, the driver assigns 8RX/8TX rings
	  for the PF, and 4RX/4TX rings for each VF).
	   - if we couldn't assign 8RX/8TX rings for the PF in the
	     previous step, we don't assign any ring to the VF

So yeah, we have an equal number of RX and TX rings. The driver,
however, only uses 2 RX rings _actively_: one per CPU. The other 6, I
don't know, I guess I can use them for AF_XDP (I haven't looked very
closely at that yet), at the moment they're pretty much unused, even if
reserved and not given to VFs.

> >> > You mean that it's possible to receive a TC_SETUP_QDISC_MQPRIO or
> >> > TC_SETUP_QDISC_TAPRIO with num_tc == 1, and we have 2 CPUs?
> >>
> >> Not just that, this ndo can be called on arbitrary CPUs after a
> >> redirect. The code just calls through from the XDP receive path so which
> >> CPU it ends up on depends on the RSS+IRQ config of the other device,
> >> which may not even be the same driver; i.e., you have no control over
> >> that... :)
> >>
> >
> > What do you mean by "arbitrary" CPU? You can't plug CPUs in, it's a dual
> > core system... Why does the source ifindex matter at all? I'm using the
> > TX ring affined to the CPU that ndo_xdp_xmit is currently running on.
> 
> See, this is why I asked 'what mechanism ensures'. Because if that
> mechanism is 'this driver is only ever used on a system with fewer CPUs
> than TXQs', then that's of course fine :)
> 
> But there are drivers that do basically the same thing as what you've
> done here, *without* having such an assurance, and just looking at that
> function it's not obvious that there's an out-of-band reason why it's
> safe. And I literally just came from looking at such a case when I
> replied to your initial patch...

Maybe you were confused seeing that this is a PCI device, thinking it's
a plug-in card or something, therefore we don't get to choose the number
of CPUs that the host has. In hindsight, I don't know why you didn't ask
about this, it is pretty strange when you think about it.

It is actually more like a platform device with a PCI front-end - we
found this loophole in the PCI standard where you can create a "root
complex/integrated endpoint" which is basically an ECAM where the config
space contains PFs corresponding to some platform devices in the SoC (in
our case, all 4 Ethernet ports have their own PF, the switch has its own
PF, same thing for the MDIO controller and the 1588 timer). Their
register map is exposed as a number of BARs which use Enhanced
Allocation, so the generic PCI ECAM driver doesn't need to create any
translation windows for these addresses, it just uses what's in there,
which, surprise, is the actual base address of the peripheral in the
SoC's memory space.

We do that because we gain a lot of cool stuff by appearing as PCI
devices to system software, like for example multiple interfaces on top
of a 'shared MAC' are simply mapped over SR-IOV.

So it just 'smells' like PCI, but they're regular memory-mapped devices,
there is no PCI transaction layer or physical layer. At the moment the
LS1028A is the only SoC running Linux that integrates the ENETC block,
so we fully control the environment.

> >> > Well, yeah, I don't know what's the proper way to deal with that. Ideas?
> >>
> >> Well the obvious one is just:
> >>
> >> tx_ring = priv->tx_ring[smp_processor_id() % num_ring_ids];
> >>
> >> and then some kind of locking to deal with multiple CPUs accessing the
> >> same TX ring...
> >
> > By multiple CPUs accessing the same TX ring, you mean locking between
> > ndo_xdp_xmit and ndo_start_xmit? Can that even happen if the hardware
> > architecture is to have at least as many TX rings as CPUs?
> >
> > Because otherwise, I see that ndo_xdp_xmit is only called from
> > xdp_do_flush, which is in softirq context, which to my very rudimentary
> > knowledge run with bottom halves, thus preemption, disabled? So I don't
> > think it's possible for ndo_xdp_xmit and ndo_xmit, or even two
> > ndo_xdp_xmit instances, to access the same TX ring?
> 
> Yup, I think you're right about that. The "we always have more TXQs than
> CPUs" condition was the bit I was missing (and of course you're *sure*
> that this would never change sometime in the future, right? ;)).

I'm pretty sure, yeah, we build the SoCs and one of the requirements we
have is that every ENETC PF has enough TX rings in order for every CPU
to have its own one. That helps a lot with avoiding contention and
simplifying the driver. Maybe I'll use this opportunity to talk again to
the hardware design guys and make sure that the next SoCs with Linux
follow the same pattern as LS1028A, although I see no reason why not.

> > Sorry, I'm sure these are trivial questions, but I would like to really
> > understand what I need to change and why :D
> 
> Given the above I think the only potentially breaking thing is the
> #RXQ > #TXQ case I outlined. And maybe a comment documenting why indexing
> the tx_ring array by smp_processor_id() is safe would be nice? :)

Sure, which part exactly do you think would explain it best? Should I
add a reference to enetc_port_si_configure?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ