| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 May 2023 02:12:18 +0000
From: "Rout, ChandanX" <chandanx.rout@...el.com>
To: "Fijalkowski, Maciej" <maciej.fijalkowski@...el.com>,
"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Nguyen, Anthony L"
<anthony.l.nguyen@...el.com>, "simon.horman@...igine.com"
<simon.horman@...igine.com>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"Karlsson, Magnus" <magnus.karlsson@...el.com>, "Kuruvinakunnel, George"
<george.kuruvinakunnel@...el.com>, "Nagraj, Shravan"
<shravan.nagraj@...el.com>, "Nagaraju, Shwetha" <shwetha.nagaraju@...el.com>
Subject: RE: [Intel-wired-lan] [PATCH iwl-net v2] ice: recycle/free all of the
fragments from multi-buffer frame
>-----Original Message-----
>From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf Of
>Fijalkowski, Maciej
>Sent: 15 May 2023 19:23
>To: intel-wired-lan@...ts.osuosl.org
>Cc: netdev@...r.kernel.org; Nguyen, Anthony L
><anthony.l.nguyen@...el.com>; simon.horman@...igine.com;
>bpf@...r.kernel.org; Karlsson, Magnus <magnus.karlsson@...el.com>
>Subject: [Intel-wired-lan] [PATCH iwl-net v2] ice: recycle/free all of the
>fragments from multi-buffer frame
>
>The ice driver caches next_to_clean value at the beginning of
>ice_clean_rx_irq() in order to remember the first buffer that has to be
>freed/recycled after main Rx processing loop. The end boundary is indicated
>by first descriptor of frame that Rx processing loop has ended its duties. Note
>that if mentioned loop ended in the middle of gathering multi-buffer frame,
>next_to_clean would be pointing to the descriptor in the middle of the frame
>BUT freeing/recycling stage will stop at the first descriptor. This means that
>next iteration of ice_clean_rx_irq() will miss the (first_desc, next_to_clean -
>1) entries.
>
> When running various 9K MTU workloads, such splats were observed:
>
>[ 540.780716] BUG: kernel NULL pointer dereference, address:
>0000000000000000 [ 540.787787] #PF: supervisor read access in kernel mode [
>540.793002] #PF: error_code(0x0000) - not-present page [ 540.798218] PGD 0
>P4D 0 [ 540.800801] Oops: 0000 [#1] PREEMPT SMP NOPTI
>[ 540.805231] CPU: 18 PID: 3984 Comm: xskxceiver Tainted: G W 6.3.0-
>rc7+ #96
>[ 540.813619] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS
>SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 540.824209] RIP:
>0010:ice_clean_rx_irq+0x2b6/0xf00 [ice] [ 540.829678] Code: 74 24 10 e9 aa 00
>00 00 8b 55 78 41 31 57 10 41 09 c4 4d 85 ff 0f 84 83 00 00 00 49 8b 57 08 41 8b 4f
>1c 65 8b 35 1a fa 4b 3f <48> 8b 02 48 c1 e8 3a 39 c6 0f 85 a2 00 00 00 f6 42 08 02
>0f 85 98 [ 540.848717] RSP: 0018:ffffc9000f42fc50 EFLAGS: 00010282 [
>540.854029] RAX: 0000000000000004 RBX: 0000000000000002 RCX:
>000000000000fffe [ 540.861272] RDX: 0000000000000000 RSI:
>0000000000000001 RDI: 00000000ffffffff [ 540.868519] RBP: ffff88984a05ac00
>R08: 0000000000000000 R09: dead000000000100 [ 540.875760] R10:
>ffff88983fffcd00 R11: 000000000010f2b8 R12: 0000000000000004 [ 540.883008]
>R13: 0000000000000003 R14: 0000000000000800 R15: ffff889847a10040 [
>540.890253] FS: 00007f6ddf7fe640(0000) GS:ffff88afdf800000(0000)
>knlGS:0000000000000000 [ 540.898465] CS: 0010 DS: 0000 ES: 0000 CR0:
>0000000080050033 [ 540.904299] CR2: 0000000000000000 CR3:
>000000010d3da001 CR4: 00000000007706e0 [ 540.911542] DR0:
>0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [
>540.918789] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>0000000000000400 [ 540.926032] PKRU: 55555554 [ 540.928790] Call Trace:
>[ 540.931276] <TASK>
>[ 540.933418] ice_napi_poll+0x4ca/0x6d0 [ice] [ 540.937804] ?
>__pfx_ice_napi_poll+0x10/0x10 [ice] [ 540.942716]
>napi_busy_loop+0xd7/0x320 [ 540.946537] xsk_recvmsg+0x143/0x170 [
>540.950178] sock_recvmsg+0x99/0xa0 [ 540.953729]
>__sys_recvfrom+0xa8/0x120 [ 540.957543] ? do_futex+0xbd/0x1d0 [
>540.961008] ? __x64_sys_futex+0x73/0x1d0 [ 540.965083]
>__x64_sys_recvfrom+0x20/0x30 [ 540.969155] do_syscall_64+0x38/0x90 [
>540.972796] entry_SYSCALL_64_after_hwframe+0x72/0xdc
>[ 540.977934] RIP: 0033:0x7f6de5f27934
>
>To fix this, set cached_ntc to first_desc so that at the end, when
>freeing/recycling buffers, descriptors from first to ntc are not missed.
>
>Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side")
>Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
>---
>v2: set cached_ntc directly to first_desc [Simon]
>
> drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Tested-by: Chandan Kumar Rout <chandanx.rout@...el.com> (A Contingent Worker at Intel)
Powered by blists - more mailing lists