From: Kalle Valo <kvalo@codeaurora.org>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: David Arcari <darcari@redhat.com>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH] net: ethtool: avoid allocation failure for dump_regs
Date: Thu, 19 Jan 2017 20:08:30 +0200 [thread overview]
Message-ID: <87h94uorc1.fsf@kamboji.qca.qualcomm.com> (raw)
In-Reply-To: <20170119155620.GD6245@tuxdriver.com> (John W. Linville's message of "Thu, 19 Jan 2017 10:56:21 -0500")
"John W. Linville" <linville@tuxdriver.com> writes:
> I forgot to Cc Johannes and Kalle...
Also adding linux-wireless.
> On Thu, Jan 19, 2017 at 09:15:09AM -0500, John W. Linville wrote:
>> On Thu, Jan 19, 2017 at 07:35:22AM -0500, David Arcari wrote:
>> > On 01/18/2017 11:45 AM, David Miller wrote:
>> > > From: David Arcari <darcari@redhat.com>
>> > > Date: Wed, 18 Jan 2017 08:34:05 -0500
>> > >
>> > >> If the user executes 'ethtool -d' for an interface and the associated
>> > >> get_regs_len() function returns 0, the user will see a call trace from
>> > >> the vmalloc() call in ethtool_get_regs(). This patch modifies
>> > >> ethtool_get_regs() to avoid the call to vmalloc when the size is zero.
>> > >>
>> > >> Signed-off-by: David Arcari <darcari@redhat.com>
>> > > I think when the driver indicates this, it is equivalent to saying that
>> > > the operation isn't supported.
>> > >
>> > > Also, this guards us against ->get_regs() methods that don't handle
>> > > zero length requests properly. I see many which are going to do
>> > > really terrible things in that situation.
>> > >
>> > > Therefore, if get_regs_len() returns zero, treat it the safe as if the
>> > > ethtool operations were NULL.
>> > >
>> > > Thanks.
>> >
>> > That was actually the fix that I was originally considering, but it
>> > turns out
>> > there is a problem with it.
>> >
>> > I found that the vmalloc error was occurring because
>> > ieee80211_get_regs_len() in
>> > net/mac80211/ethtool.c was returning zero. The ieee80211_get_regs in
>> > the same
>> > file returns the hw version. It turns out that this information is used
>> > by the
>> > at76c50x-usb driver in the user space ethtool to report which HW variant
>> > is in
>> > use. Returning an error when regs_len() returns zero would break this
>> > functionality.
>> >
>> > -Dave
>>
>> I'm responsible for this mess. The original idea was for various
>> mac80211-based drivers to override the ethtool operation and provide
>> their own dump operation, but the mac80211 crowd never embraced
>> the idea.
>>
>> In the meantime, I added the default implementation which just
>> passed-up wdev->wiphy->hw_version as the version info for a 0-length
>> register dump. I then implemented a driver-specific regiser dump
>> handler for userland ethtool that would interpret the hardware version
>> information for the at76c50x-usb driver.
>>
>> So the net of it is, if we treat a return of 0 from get_regs_len()
>> as "not supported", we break this one driver-specific feature for
>> userland ethtool. Realistically, there are probably very few users
>> to care. But I can't guarantee that the number is zero.
I know the number is not zero, because I remember using it years back
with something else than at76c50x-usb. But is the number more than one,
I don't know :)
>> Possible solutions:
>>
>> -- break userland ethtool for at76c50x-usb
>> -- avoid 0-len allocation attempt (David Arcari's patch)
>> -- make allocator accept a 0 length value w/o oops'ing
>> -- change mac8011 code to return non-zero from get_regs_len()
>>
>> Thoughts? The last option holds a certain attraction, but I'm not
>> sure how to make it useful...?
If it were only about at76c50x-usb I would say go for it, nobody sane
should use that device anymore. But on the other hand I'm worried that
this interface might be used by other (proprietary) user space tools
with other, more important, drivers. A difficult situation.
--
Kalle Valo
WARNING: multiple messages have this Message-ID (diff)
From: Kalle Valo <kvalo-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
To: "John W. Linville" <linville-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org>
Cc: David Arcari <darcari-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Johannes Berg
<johannes.berg-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] net: ethtool: avoid allocation failure for dump_regs
Date: Thu, 19 Jan 2017 20:08:30 +0200 [thread overview]
Message-ID: <87h94uorc1.fsf@kamboji.qca.qualcomm.com> (raw)
In-Reply-To: <20170119155620.GD6245-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org> (John W. Linville's message of "Thu, 19 Jan 2017 10:56:21 -0500")
"John W. Linville" <linville-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org> writes:
> I forgot to Cc Johannes and Kalle...
Also adding linux-wireless.
> On Thu, Jan 19, 2017 at 09:15:09AM -0500, John W. Linville wrote:
>> On Thu, Jan 19, 2017 at 07:35:22AM -0500, David Arcari wrote:
>> > On 01/18/2017 11:45 AM, David Miller wrote:
>> > > From: David Arcari <darcari-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>> > > Date: Wed, 18 Jan 2017 08:34:05 -0500
>> > >
>> > >> If the user executes 'ethtool -d' for an interface and the associated
>> > >> get_regs_len() function returns 0, the user will see a call trace from
>> > >> the vmalloc() call in ethtool_get_regs(). This patch modifies
>> > >> ethtool_get_regs() to avoid the call to vmalloc when the size is zero.
>> > >>
>> > >> Signed-off-by: David Arcari <darcari-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>> > > I think when the driver indicates this, it is equivalent to saying that
>> > > the operation isn't supported.
>> > >
>> > > Also, this guards us against ->get_regs() methods that don't handle
>> > > zero length requests properly. I see many which are going to do
>> > > really terrible things in that situation.
>> > >
>> > > Therefore, if get_regs_len() returns zero, treat it the safe as if the
>> > > ethtool operations were NULL.
>> > >
>> > > Thanks.
>> >
>> > That was actually the fix that I was originally considering, but it
>> > turns out
>> > there is a problem with it.
>> >
>> > I found that the vmalloc error was occurring because
>> > ieee80211_get_regs_len() in
>> > net/mac80211/ethtool.c was returning zero. The ieee80211_get_regs in
>> > the same
>> > file returns the hw version. It turns out that this information is used
>> > by the
>> > at76c50x-usb driver in the user space ethtool to report which HW variant
>> > is in
>> > use. Returning an error when regs_len() returns zero would break this
>> > functionality.
>> >
>> > -Dave
>>
>> I'm responsible for this mess. The original idea was for various
>> mac80211-based drivers to override the ethtool operation and provide
>> their own dump operation, but the mac80211 crowd never embraced
>> the idea.
>>
>> In the meantime, I added the default implementation which just
>> passed-up wdev->wiphy->hw_version as the version info for a 0-length
>> register dump. I then implemented a driver-specific regiser dump
>> handler for userland ethtool that would interpret the hardware version
>> information for the at76c50x-usb driver.
>>
>> So the net of it is, if we treat a return of 0 from get_regs_len()
>> as "not supported", we break this one driver-specific feature for
>> userland ethtool. Realistically, there are probably very few users
>> to care. But I can't guarantee that the number is zero.
I know the number is not zero, because I remember using it years back
with something else than at76c50x-usb. But is the number more than one,
I don't know :)
>> Possible solutions:
>>
>> -- break userland ethtool for at76c50x-usb
>> -- avoid 0-len allocation attempt (David Arcari's patch)
>> -- make allocator accept a 0 length value w/o oops'ing
>> -- change mac8011 code to return non-zero from get_regs_len()
>>
>> Thoughts? The last option holds a certain attraction, but I'm not
>> sure how to make it useful...?
If it were only about at76c50x-usb I would say go for it, nobody sane
should use that device anymore. But on the other hand I'm worried that
this interface might be used by other (proprietary) user space tools
with other, more important, drivers. A difficult situation.
--
Kalle Valo
next prev parent reply other threads:[~2017-01-19 18:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-18 13:34 [PATCH] net: ethtool: avoid allocation failure for dump_regs David Arcari
2017-01-18 16:45 ` David Miller
2017-01-19 12:35 ` David Arcari
2017-01-19 14:15 ` John W. Linville
2017-01-19 15:56 ` John W. Linville
2017-01-19 18:08 ` Kalle Valo [this message]
2017-01-19 18:08 ` Kalle Valo
2017-01-19 19:22 ` David Miller
2017-01-19 19:22 ` David Miller
2017-01-20 11:44 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h94uorc1.fsf@kamboji.qca.qualcomm.com \
--to=kvalo@codeaurora.org \
--cc=darcari@redhat.com \
--cc=davem@davemloft.net \
--cc=johannes.berg@intel.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.