lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <MN2PR11MB4045234F7E5F0A97EACB39BAEA489@MN2PR11MB4045.namprd11.prod.outlook.com>
Date: Wed, 31 May 2023 02:12:18 +0000
From: "Rout, ChandanX" <chandanx.rout@...el.com>
To: "Fijalkowski, Maciej" <maciej.fijalkowski@...el.com>,
	"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Nguyen, Anthony L"
	<anthony.l.nguyen@...el.com>, "simon.horman@...igine.com"
	<simon.horman@...igine.com>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
	"Karlsson, Magnus" <magnus.karlsson@...el.com>, "Kuruvinakunnel, George"
	<george.kuruvinakunnel@...el.com>, "Nagraj, Shravan"
	<shravan.nagraj@...el.com>, "Nagaraju, Shwetha" <shwetha.nagaraju@...el.com>
Subject: RE: [Intel-wired-lan] [PATCH iwl-net v2] ice: recycle/free all of the
 fragments from multi-buffer frame



>-----Original Message-----
>From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf Of
>Fijalkowski, Maciej
>Sent: 15 May 2023 19:23
>To: intel-wired-lan@...ts.osuosl.org
>Cc: netdev@...r.kernel.org; Nguyen, Anthony L
><anthony.l.nguyen@...el.com>; simon.horman@...igine.com;
>bpf@...r.kernel.org; Karlsson, Magnus <magnus.karlsson@...el.com>
>Subject: [Intel-wired-lan] [PATCH iwl-net v2] ice: recycle/free all of the
>fragments from multi-buffer frame
>
>The ice driver caches next_to_clean value at the beginning of
>ice_clean_rx_irq() in order to remember the first buffer that has to be
>freed/recycled after main Rx processing loop. The end boundary is indicated
>by first descriptor of frame that Rx processing loop has ended its duties. Note
>that if mentioned loop ended in the middle of gathering multi-buffer frame,
>next_to_clean would be pointing to the descriptor in the middle of the frame
>BUT freeing/recycling stage will stop at the first descriptor. This means that
>next iteration of ice_clean_rx_irq() will miss the (first_desc, next_to_clean -
>1) entries.
>
> When running various 9K MTU workloads, such splats were observed:
>
>[  540.780716] BUG: kernel NULL pointer dereference, address:
>0000000000000000 [  540.787787] #PF: supervisor read access in kernel mode [
>540.793002] #PF: error_code(0x0000) - not-present page [  540.798218] PGD 0
>P4D 0 [  540.800801] Oops: 0000 [#1] PREEMPT SMP NOPTI
>[  540.805231] CPU: 18 PID: 3984 Comm: xskxceiver Tainted: G        W          6.3.0-
>rc7+ #96
>[  540.813619] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS
>SE5C620.86B.02.01.0008.031920191559 03/19/2019 [  540.824209] RIP:
>0010:ice_clean_rx_irq+0x2b6/0xf00 [ice] [  540.829678] Code: 74 24 10 e9 aa 00
>00 00 8b 55 78 41 31 57 10 41 09 c4 4d 85 ff 0f 84 83 00 00 00 49 8b 57 08 41 8b 4f
>1c 65 8b 35 1a fa 4b 3f <48> 8b 02 48 c1 e8 3a 39 c6 0f 85 a2 00 00 00 f6 42 08 02
>0f 85 98 [  540.848717] RSP: 0018:ffffc9000f42fc50 EFLAGS: 00010282 [
>540.854029] RAX: 0000000000000004 RBX: 0000000000000002 RCX:
>000000000000fffe [  540.861272] RDX: 0000000000000000 RSI:
>0000000000000001 RDI: 00000000ffffffff [  540.868519] RBP: ffff88984a05ac00
>R08: 0000000000000000 R09: dead000000000100 [  540.875760] R10:
>ffff88983fffcd00 R11: 000000000010f2b8 R12: 0000000000000004 [  540.883008]
>R13: 0000000000000003 R14: 0000000000000800 R15: ffff889847a10040 [
>540.890253] FS:  00007f6ddf7fe640(0000) GS:ffff88afdf800000(0000)
>knlGS:0000000000000000 [  540.898465] CS:  0010 DS: 0000 ES: 0000 CR0:
>0000000080050033 [  540.904299] CR2: 0000000000000000 CR3:
>000000010d3da001 CR4: 00000000007706e0 [  540.911542] DR0:
>0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [
>540.918789] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>0000000000000400 [  540.926032] PKRU: 55555554 [  540.928790] Call Trace:
>[  540.931276]  <TASK>
>[  540.933418]  ice_napi_poll+0x4ca/0x6d0 [ice] [  540.937804]  ?
>__pfx_ice_napi_poll+0x10/0x10 [ice] [  540.942716]
>napi_busy_loop+0xd7/0x320 [  540.946537]  xsk_recvmsg+0x143/0x170 [
>540.950178]  sock_recvmsg+0x99/0xa0 [  540.953729]
>__sys_recvfrom+0xa8/0x120 [  540.957543]  ? do_futex+0xbd/0x1d0 [
>540.961008]  ? __x64_sys_futex+0x73/0x1d0 [  540.965083]
>__x64_sys_recvfrom+0x20/0x30 [  540.969155]  do_syscall_64+0x38/0x90 [
>540.972796]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
>[  540.977934] RIP: 0033:0x7f6de5f27934
>
>To fix this, set cached_ntc to first_desc so that at the end, when
>freeing/recycling buffers, descriptors from first to ntc are not missed.
>
>Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side")
>Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
>---
>v2: set cached_ntc directly to first_desc [Simon]
>
> drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Tested-by: Chandan Kumar Rout <chandanx.rout@...el.com> (A Contingent Worker at Intel)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ