lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 30 Oct 2023 14:39:33 +0100
From: Heiner Kallweit <hkallweit1@...il.com>
To: Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>,
 Jason Gunthorpe <jgg@...pe.ca>, Joerg Roedel <jroedel@...e.de>,
 Lu Baolu <baolu.lu@...ux.intel.com>, iommu@...ts.linux.dev,
 linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Cc: Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>,
 Robin Murphy <robin.murphy@....com>, nic_swsd@...ltek.com,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Marco Elver <elver@...gle.com>
Subject: Re: [PATCH v5 1/7] r8169: Add r8169_mac_ocp_(write|modify)_seq
 helpers to reduce spinlock contention

On 29.10.2023 19:35, Mirsad Goran Todorovac wrote:
> A pair of new helpers r8168_mac_ocp_write_seq() and r8168_mac_ocp_modify_seq()
> are introduced.
> 
At first one more formal remark: series is missing a cover letter

> The motivation for these helpers was the locking overhead of 130 consecutive
> r8168_mac_ocp_write() calls in the RTL8411b reset after the NIC gets confused
> if the PHY is powered-down.
> 
> To quote Heiner:
> 
>     On RTL8411b the RX unit gets confused if the PHY is powered-down.
>     This was reported in [0] and confirmed by Realtek. Realtek provided
>     a sequence to fix the RX unit after PHY wakeup.
> 
> A series of about 130 r8168_mac_ocp_write() calls is performed to program the
> RTL registers for recovery, each doing an expensive spin_lock_irqsave() and
> spin_unlock_irqrestore().
> 
> Each mac ocp write is made of:
> 
>     static void __r8168_mac_ocp_write(struct rtl8169_private *tp, u32 reg,
> 		      u32 data)
>     {
> 	if (rtl_ocp_reg_failure(reg))
> 	    return;
> 
> 	RTL_W32(tp, OCPDR, OCPAR_FLAG | (reg << 15) | data);
>     }
> 
>     static void r8168_mac_ocp_write(struct rtl8169_private *tp, u32 reg,
> 		    u32 data)
>     {
> 	unsigned long flags;
> 
> 	raw_spin_lock_irqsave(&tp->mac_ocp_lock, flags);
> 	__r8168_mac_ocp_write(tp, reg, data);
> 	raw_spin_unlock_irqrestore(&tp->mac_ocp_lock, flags);
>     }
> 
> Register programming is done through RTL_W32() macro which expands into
> 
>     #define RTL_W32(tp, reg, val32) writel((val32), tp->mmio_addr + (reg))
> 
> which is further (on Alpha):
> 
>     extern inline void writel(u32 b, volatile void __iomem *addr)
>     {
> 	mb();
> 	__raw_writel(b, addr);
>     }
> 
> or on i386/x86_64:
> 
>     #define build_mmio_write(name, size, type, reg, barrier) \
>     static inline void name(type val, volatile void __iomem *addr) \
>     { asm volatile("mov" size " %0,%1": :reg (val), \
>     "m" (*(volatile type __force *)addr) barrier); }
> 
>     build_mmio_write(writel, "l", unsigned int, "r", :"memory")
> 
> This obviously involves iat least a compiler barrier.
> 
> mb() expands into something like this i.e. on x86_64:
> 
>     #define mb()    asm volatile("lock; addl $0,0(%%esp)" ::: "memory")
> 
> This means a whole lot of memory bus stalls: for spin_lock_irqsave(),
> memory barrier, writel(), and spin_unlock_irqrestore().
> 
> With about 130 of these sequential calls to r8168_mac_ocp_write() this looks like
> a lock storm that will stall all of the cores and CPUs on the same memory controller
> for certain time I/O takes to finish.
> 
> In a sequential case of RTL register programming, the writes to RTL registers
> can be coalesced under a same raw spinlock. This can dramatically decrease the
> number of bus stalls in a multicore or multi-CPU system.
> 
> Macro helpers r8168_mac_ocp_write_seq() and r8168_mac_ocp_modify_seq() are
> provided to reduce lock contention:
> 
>     static void rtl_hw_start_8411_2(struct rtl8169_private *tp)
>     {
> 
> 	...
> 
> 	/* The following Realtek-provided magic fixes an issue with the RX unit
> 	 * getting confused after the PHY having been powered-down.
> 	 */
> 
> 	static const struct recover_8411b_info init_zero_seq[] = {
> 	    { 0xFC28, 0x0000 }, { 0xFC2A, 0x0000 }, { 0xFC2C, 0x0000 },
> 	    ...
> 	};
> 
> 	...
> 
> 	r8168_mac_ocp_write_seq(tp, init_zero_seq);
> 
> 	...
> 
>     }
> 
> The hex data is preserved intact through s/r8168_mac_ocp_write[(]tp,/{ / and s/[)];/ },/
> functions that only changed the function names and the ending of the line, so the actual
> hex data is unchanged.
> 
> To repeat, the reason for the introduction of the original commit
> was to enable recovery of the RX unit on the RTL8411b which was confused by the
> powered-down PHY. This sequence of r8168_mac_ocp_write() calls amplifies the problem
> into a series of about 500+ memory bus locks, most waiting for the main memory read,
> modify and write under a LOCK. The memory barrier in RTL_W32 should suffice for
> the programming sequence to reach RTL NIC registers.
> 
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=1692075
> 
The motivation for the original change isn't relevant here.
In general I'd prefer a shorter commit message that comes to the point immediately.


> Fixes: fe4e8db0392a6 ("r8169: fix issue with confused RX unit after PHY power-down on RTL8411b")
> Fixes: 91c8643578a21 ("r8169: use spinlock to protect mac ocp register access")
> Fixes: d6c36cbc5e533 ("r8169: Use a raw_spinlock_t for the register locks.")

Please submit the patches as net-next material and remove the Fixes tags as there's no
evidence of any actual issue. See stable submission criteria:
https://www.kernel.org/doc/html/next/process/stable-kernel-rules.html#:~:text=It%20or%20an%20equivalent%20fix,%2Fprocess%2Fsubmitting%2Dpatches.

No "This could be a problem..." type of things like a "theoretical race condition",
unless an explanation of how the bug can be exploited is also provided. See

> Cc: Heiner Kallweit <hkallweit1@...il.com>
> Cc: Marco Elver <elver@...gle.com>
> Cc: nic_swsd@...ltek.com
> Cc: "David S. Miller" <davem@...emloft.net>
> Cc: Eric Dumazet <edumazet@...gle.com>
> Cc: Jakub Kicinski <kuba@...nel.org>
> Cc: Paolo Abeni <pabeni@...hat.com>
> Cc: netdev@...r.kernel.org
> Cc: linux-kernel@...r.kernel.org
> Link: https://lore.kernel.org/lkml/20231028005153.2180411-1-mirsad.todorovac@alu.unizg.hr/
> Link: https://lore.kernel.org/lkml/20231028110459.2644926-1-mirsad.todorovac@alu.unizg.hr/
> Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>
> ---
> v5:
>  added unlocked primitives to allow mac ocs modify grouping
>  applied coalescing of mac ocp writes/modifies for 8168ep and 8117
>  some formatting fixes to please checkpatch.pl
> 
> v4:
>  fixed complaints as advised by Heiner and checkpatch.pl
>  split the patch into five sections to be more easily manipulated and reviewed
>  introduced r8168_mac_ocp_write_seq()
>  applied coalescing of mac ocp writes/modifies for 8168H, 8125 and 8125B
> 
> v3:
>  removed register/mask pair array sentinels, so using ARRAY_SIZE().
>  avoided duplication of RTL_W32() call code as advised by Heiner.
> 
>  drivers/net/ethernet/realtek/r8169_main.c | 71 +++++++++++++++++++++--
>  1 file changed, 66 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
> index 361b90007148..da1f5d1b4fd5 100644
> --- a/drivers/net/ethernet/realtek/r8169_main.c
> +++ b/drivers/net/ethernet/realtek/r8169_main.c
> @@ -888,7 +888,7 @@ static int r8168_phy_ocp_read(struct rtl8169_private *tp, u32 reg)
>  		(RTL_R32(tp, GPHY_OCP) & 0xffff) : -ETIMEDOUT;
>  }
>  
> -static void __r8168_mac_ocp_write(struct rtl8169_private *tp, u32 reg, u32 data)
> +static inline void __r8168_mac_ocp_write(struct rtl8169_private *tp, u32 reg, u32 data)

No inline declarations please, let the compiler decide.

>  {
>  	if (rtl_ocp_reg_failure(reg))
>  		return;
> @@ -905,7 +905,7 @@ static void r8168_mac_ocp_write(struct rtl8169_private *tp, u32 reg, u32 data)
>  	raw_spin_unlock_irqrestore(&tp->mac_ocp_lock, flags);
>  }
>  
> -static u16 __r8168_mac_ocp_read(struct rtl8169_private *tp, u32 reg)
> +static inline u16 __r8168_mac_ocp_read(struct rtl8169_private *tp, u32 reg)
>  {
>  	if (rtl_ocp_reg_failure(reg))
>  		return 0;
> @@ -927,18 +927,79 @@ static u16 r8168_mac_ocp_read(struct rtl8169_private *tp, u32 reg)
>  	return val;
>  }
>  
> +static inline void __r8168_mac_ocp_modify(struct rtl8169_private *tp, u32 reg, u16 mask,
> +					  u16 set)
> +{
> +	u16 data;
> +
> +	data = __r8168_mac_ocp_read(tp, reg);
> +	__r8168_mac_ocp_write(tp, reg, (data & ~mask) | set);
> +}
> +
>  static void r8168_mac_ocp_modify(struct rtl8169_private *tp, u32 reg, u16 mask,
>  				 u16 set)
>  {
>  	unsigned long flags;
> -	u16 data;
>  
>  	raw_spin_lock_irqsave(&tp->mac_ocp_lock, flags);
> -	data = __r8168_mac_ocp_read(tp, reg);
> -	__r8168_mac_ocp_write(tp, reg, (data & ~mask) | set);
> +	__r8168_mac_ocp_modify(tp, reg, mask, set);
>  	raw_spin_unlock_irqrestore(&tp->mac_ocp_lock, flags);
>  }
>  
> +struct e_info_regdata {

What does the e prefix stand for? Maybe macocp_info_write and
macocp_info_modify would be better names and more in line with
e.g. struct ephy_info.

> +	u32	reg;
> +	u32	data;
> +};
> +
> +struct e_info_regmaskset {
> +	u32	reg;
> +	u16	mask;
> +	u16	set;
> +};
> +
> +static void __r8168_mac_ocp_write_seqlen(struct rtl8169_private *tp,
> +					 const struct e_info_regdata *array, int len)
> +{
> +	struct e_info_regdata const *p;
> +
> +	for (p = array; len--; p++)
> +		__r8168_mac_ocp_write(tp, p->reg, p->data);
> +}
> +
> +static void r8168_mac_ocp_write_seqlen(struct rtl8169_private *tp,
> +				       const struct e_info_regdata *array, int len)
> +{
> +	unsigned long flags;
> +
> +	raw_spin_lock_irqsave(&tp->mac_ocp_lock, flags);
> +	__r8168_mac_ocp_write_seqlen(tp, array, len);
> +	raw_spin_unlock_irqrestore(&tp->mac_ocp_lock, flags);
> +}
> +
> +static void __r8168_mac_ocp_modify_seqlen(struct rtl8169_private *tp,
> +					  const struct e_info_regmaskset *array, int len)
> +{
> +	struct e_info_regmaskset const *p;
> +
> +	for (p = array; len--; p++)
> +		__r8168_mac_ocp_modify(tp, p->reg, p->mask, p->set);
> +}
> +
> +static void r8168_mac_ocp_modify_seqlen(struct rtl8169_private *tp,
> +					const struct e_info_regmaskset *array, int len)
> +{
> +	unsigned long flags;
> +
> +	raw_spin_lock_irqsave(&tp->mac_ocp_lock, flags);
> +	__r8168_mac_ocp_modify_seqlen(tp, array, len);
> +	raw_spin_unlock_irqrestore(&tp->mac_ocp_lock, flags);
> +}
> +
> +#define r8168_mac_ocp_write_seq(tp, a) r8168_mac_ocp_write_seqlen(tp, a, ARRAY_SIZE(a))
> +#define r8168_mac_ocp_modify_seq(tp, a) r8168_mac_ocp_modify_seqlen(tp, a, ARRAY_SIZE(a))
> +#define __r8168_mac_ocp_write_seq(tp, a) __r8168_mac_ocp_write_seqlen(tp, a, ARRAY_SIZE(a))
> +#define __r8168_mac_ocp_modify_seq(tp, a) __r8168_mac_ocp_modify_seqlen(tp, a, ARRAY_SIZE(a))
> +
>  /* Work around a hw issue with RTL8168g PHY, the quirk disables
>   * PHY MCU interrupts before PHY power-down.
>   */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ