| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a7c39c89-c277-4b5f-92c0-690e31c769b5@amd.com>
Date: Mon, 11 Sep 2023 17:24:27 -0700
From: "Nelson, Shannon" <shannon.nelson@....com>
To: David Christensen <drc@...ux.vnet.ibm.com>, brett.creeley@....com,
drivers@...sando.io
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH] ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
On 9/11/2023 3:22 PM, David Christensen wrote:
>
> The function ionic_rx_fill() uses 16bit math when calculating the
> the number of pages required for an RX descriptor given an interface
> MTU setting. If the system PAGE_SIZE >= 64KB, the frag_len and
> remain_len values will always be 0, causing unnecessary scatter-
> gather elements to be assigned to the RX descriptor, up to the
> maximum number of scatter-gather elements per descriptor.
>
> A similar change in ionic_rx_frags() is implemented for symmetry,
> but has not been observed as an issue since scatter-gather
> elements are not necessary for such larger page sizes.
>
> Fixes: 4b0a7539a372 ("ionic: implement Rx page reuse")
> Signed-off-by: David Christensen <drc@...ux.vnet.ibm.com>
The subject line prefix should have "net" in it to target the bug fix at
the right tree.
> ---
> drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> index 26798fc635db..56502bc80e01 100644
> --- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> +++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
> @@ -182,8 +182,8 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q,
> struct device *dev = q->dev;
> struct sk_buff *skb;
> unsigned int i;
> - u16 frag_len;
> - u16 len;
> + u32 frag_len;
> + u32 len;
>
> stats = q_to_rx_stats(q);
>
> @@ -207,7 +207,7 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q,
> return NULL;
> }
>
> - frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
> + frag_len = min_t(u32, len, IONIC_PAGE_SIZE - buf_info->page_offset);
> len -= frag_len;
>
> dma_sync_single_for_cpu(dev,
> @@ -452,7 +452,7 @@ void ionic_rx_fill(struct ionic_queue *q)
>
> /* fill main descriptor - buf[0] */
> desc->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
> - frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
> + frag_len = min_t(u32, len, IONIC_PAGE_SIZE - buf_info->page_offset);
> desc->len = cpu_to_le16(frag_len);
Hmm... using cpu_to_le16() on a 32-bit value looks suspect - it might
get forced to 16-bit, but looks funky, and might not be as successful in
a BigEndian environment.
Since the descriptor and sg_elem length fields are limited to 16-bit,
there might need to have something that assures that the resulting
lengths are never bigger than 64k - 1.
> remain_len -= frag_len;
> buf_info++;
> @@ -471,7 +471,7 @@ void ionic_rx_fill(struct ionic_queue *q)
> }
>
> sg_elem->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
> - frag_len = min_t(u16, remain_len, IONIC_PAGE_SIZE - buf_info->page_offset);
> + frag_len = min_t(u32, remain_len, IONIC_PAGE_SIZE - buf_info->page_offset);
> sg_elem->len = cpu_to_le16(frag_len);
ditto
> remain_len -= frag_len;
> buf_info++;
> --
> 2.39.1
>
Powered by blists - more mailing lists