From: Tobias Waldekranz <tobias@waldekranz.com>
To: Maxime Chevallier <maxime.chevallier@bootlin.com>
Cc: davem@davemloft.net, kuba@kernel.org, marcin.s.wojtas@gmail.com,
linux@armlinux.org.uk, andrew@lunn.ch, edumazet@google.com,
pabeni@redhat.com, ezequiel.garcia@free-electrons.com,
netdev@vger.kernel.org
Subject: Re: [PATCH net] net: mvpp2: Prevent parser TCAM memory corruption
Date: Thu, 20 Mar 2025 11:47:43 +0100 [thread overview]
Message-ID: <87zfhg9dww.fsf@waldekranz.com> (raw)
In-Reply-To: <20250320105747.6f271fff@fedora.home>
On tor, mar 20, 2025 at 10:57, Maxime Chevallier <maxime.chevallier@bootlin.com> wrote:
> Hi Tobias,
>
> On Thu, 20 Mar 2025 10:17:00 +0100
> Tobias Waldekranz <tobias@waldekranz.com> wrote:
>
>> Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM
>> information, from concurrent modifications.
>>
>> Both the TCAM and SRAM tables are indirectly accessed by configuring
>> an index register that selects the row to read or write to. This means
>> that operations must be atomic in order to, e.g., avoid spreading
>> writes across multiple rows. Since the shadow SRAM array is used to
>> find free rows in the hardware table, it must also be protected in
>> order to avoid TOCTOU errors where multiple cores allocate the same
>> row.
>>
>> This issue was detected in a situation where `mvpp2_set_rx_mode()` ran
>> concurrently on two CPUs. In this particular case the
>> MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the
>> classifier unit to drop all incoming unicast - indicated by the
>> `rx_classifier_drops` counter.
>>
>> Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
>> Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
>> ---
>
> [...]
>
>> +int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
>> + int tid)
>> +{
>> + unsigned long flags;
>> + int err;
>> +
>> + spin_lock_irqsave(&priv->prs_spinlock, flags);
>> + err = mvpp2_prs_init_from_hw_unlocked(priv, pe, tid);
>> + spin_unlock_irqrestore(&priv->prs_spinlock, flags);
>
> That's indeed an issue, I'm wondering however if you really need to
> irqsave/irqrestore everytime you protect the accesses to the Parser.
>
> From what I remember we don't touch the Parser in the interrupt path,
> it's mostly a consequence to netdev ops being called (promisc, vlan
> add/kill, mc/uc filtering and a lot in the init path).
Good point! Indeed, I can not find any access to the parser in IRQ
context.
We still need to disable bottom halves though, right? Because otherwise
we could reach mvpp2_set_rx_mode() from net-rx by processing an IGMP/MLD
frame, for example.
next prev parent reply other threads:[~2025-03-20 10:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 9:17 [PATCH net] net: mvpp2: Prevent parser TCAM memory corruption Tobias Waldekranz
2025-03-20 9:57 ` Maxime Chevallier
2025-03-20 10:47 ` Tobias Waldekranz [this message]
2025-03-20 13:14 ` Andrew Lunn
2025-03-20 13:38 ` Tobias Waldekranz
2025-03-20 17:27 ` Maxime Chevallier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfhg9dww.fsf@waldekranz.com \
--to=tobias@waldekranz.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ezequiel.garcia@free-electrons.com \
--cc=kuba@kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marcin.s.wojtas@gmail.com \
--cc=maxime.chevallier@bootlin.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.