From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
To: Jijie Shao <shaojijie@huawei.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org,
shenjian15@huawei.com, wangpeiyang1@huawei.com,
liuyonglong@huawei.com, chenhao418@huawei.com,
jonathan.cameron@huawei.com,
shameerali.kolothum.thodi@huawei.com, salil.mehta@huawei.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH RESEND V2 net 6/7] net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue
Date: Wed, 18 Dec 2024 10:29:03 +0100 [thread overview]
Message-ID: <Z2KV37WZL7cpPYKk@mev-dev.igk.intel.com> (raw)
In-Reply-To: <20241217010839.1742227-7-shaojijie@huawei.com>
On Tue, Dec 17, 2024 at 09:08:38AM +0800, Jijie Shao wrote:
> From: Hao Lan <lanhao@huawei.com>
>
> The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs
> 1024-1279 are in different BAR space addresses. However,
> hclge_fetch_pf_reg does not distinguish the tqp space information when
> reading the tqp space information. When the number of TQPs is greater
> than 1024, access bar space overwriting occurs.
> The problem of different segments has been considered during the
> initialization of tqp.io_base. Therefore, tqp.io_base is directly used
> when the queue is read in hclge_fetch_pf_reg.
>
> The error message:
>
> Unable to handle kernel paging request at virtual address ffff800037200000
> pc : hclge_fetch_pf_reg+0x138/0x250 [hclge]
> lr : hclge_get_regs+0x84/0x1d0 [hclge]
> Call trace:
> hclge_fetch_pf_reg+0x138/0x250 [hclge]
> hclge_get_regs+0x84/0x1d0 [hclge]
> hns3_get_regs+0x2c/0x50 [hns3]
> ethtool_get_regs+0xf4/0x270
> dev_ethtool+0x674/0x8a0
> dev_ioctl+0x270/0x36c
> sock_do_ioctl+0x110/0x2a0
> sock_ioctl+0x2ac/0x530
> __arm64_sys_ioctl+0xa8/0x100
> invoke_syscall+0x4c/0x124
> el0_svc_common.constprop.0+0x140/0x15c
> do_el0_svc+0x30/0xd0
> el0_svc+0x1c/0x2c
> el0_sync_handler+0xb0/0xb4
> el0_sync+0x168/0x180
>
> Fixes: 939ccd107ffc ("net: hns3: move dump regs function to a separate file")
> Signed-off-by: Hao Lan <lanhao@huawei.com>
> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c | 9 +++++----
> .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c | 9 +++++----
> 2 files changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> index 43c1c18fa81f..8c057192aae6 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> @@ -510,9 +510,9 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
> static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data,
> struct hnae3_knic_private_info *kinfo)
> {
> -#define HCLGE_RING_REG_OFFSET 0x200
> #define HCLGE_RING_INT_REG_OFFSET 0x4
>
> + struct hnae3_queue *tqp;
> int i, j, reg_num;
> int data_num_sum;
> u32 *reg = data;
> @@ -533,10 +533,11 @@ static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data,
> reg_num = ARRAY_SIZE(ring_reg_addr_list);
> for (j = 0; j < kinfo->num_tqps; j++) {
You can define struct hnae3_queue *tqp here to limit the scope
(same in VF case).
> reg += hclge_reg_get_tlv(HCLGE_REG_TAG_RING, reg_num, reg);
> + tqp = kinfo->tqp[j];
> for (i = 0; i < reg_num; i++)
> - *reg++ = hclge_read_dev(&hdev->hw,
> - ring_reg_addr_list[i] +
> - HCLGE_RING_REG_OFFSET * j);
> + *reg++ = readl_relaxed(tqp->io_base -
> + HCLGE_TQP_REG_OFFSET +
> + ring_reg_addr_list[i]);
> }
> data_num_sum += (reg_num + HCLGE_REG_TLV_SPACE) * kinfo->num_tqps;
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> index 6db415d8b917..7d9d9dbc7560 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> @@ -123,10 +123,10 @@ int hclgevf_get_regs_len(struct hnae3_handle *handle)
> void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version,
> void *data)
> {
> -#define HCLGEVF_RING_REG_OFFSET 0x200
> #define HCLGEVF_RING_INT_REG_OFFSET 0x4
>
> struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle);
> + struct hnae3_queue *tqp;
> int i, j, reg_um;
> u32 *reg = data;
>
> @@ -147,10 +147,11 @@ void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version,
> reg_um = ARRAY_SIZE(ring_reg_addr_list);
> for (j = 0; j < hdev->num_tqps; j++) {
> reg += hclgevf_reg_get_tlv(HCLGEVF_REG_TAG_RING, reg_um, reg);
> + tqp = &hdev->htqp[j].q;
> for (i = 0; i < reg_um; i++)
> - *reg++ = hclgevf_read_dev(&hdev->hw,
> - ring_reg_addr_list[i] +
> - HCLGEVF_RING_REG_OFFSET * j);
> + *reg++ = readl_relaxed(tqp->io_base -
> + HCLGEVF_TQP_REG_OFFSET +
> + ring_reg_addr_list[i]);
> }
>
> reg_um = ARRAY_SIZE(tqp_intr_reg_addr_list);
> --
> 2.33.0
next prev parent reply other threads:[~2024-12-18 9:32 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 1:08 [PATCH RESEND V2 net 0/7] There are some bugfix for the HNS3 ethernet driver Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 1/7] net: hns3: fixed reset failure issues caused by the incorrect reset type Jijie Shao
2024-12-18 9:02 ` Michal Swiatkowski
2024-12-19 9:41 ` Paolo Abeni
2024-12-19 10:11 ` Michal Swiatkowski
2024-12-19 10:43 ` Paolo Abeni
2024-12-19 12:26 ` Jijie Shao
2025-01-06 14:41 ` Jijie Shao
2024-12-19 10:13 ` Michal Swiatkowski
2024-12-19 12:18 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 2/7] net: hns3: fix missing features due to dev->features configuration too early Jijie Shao
2024-12-18 9:16 ` Michal Swiatkowski
2024-12-17 1:08 ` [PATCH RESEND V2 net 3/7] net: hns3: Resolved the issue that the debugfs query result is inconsistent Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 4/7] net: hns3: don't auto enable misc vector Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 5/7] net: hns3: initialize reset_timer before hclgevf_misc_irq_init() Jijie Shao
2024-12-18 9:20 ` Michal Swiatkowski
2024-12-19 11:48 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 6/7] net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue Jijie Shao
2024-12-18 9:29 ` Michal Swiatkowski [this message]
2024-12-19 9:51 ` Paolo Abeni
2024-12-19 10:23 ` Michal Swiatkowski
2024-12-19 11:52 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 7/7] net: hns3: fix kernel crash when 1588 is sent on HIP08 devices Jijie Shao
2024-12-18 9:30 ` Michal Swiatkowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z2KV37WZL7cpPYKk@mev-dev.igk.intel.com \
--to=michal.swiatkowski@linux.intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=chenhao418@huawei.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jonathan.cameron@huawei.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liuyonglong@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=salil.mehta@huawei.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=shaojijie@huawei.com \
--cc=shenjian15@huawei.com \
--cc=wangpeiyang1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.