From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 81FF2C74A5B
	for <linux-arm-kernel@archiver.kernel.org>; Sat, 18 Mar 2023 10:59:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:In-reply-to:
	Date:Subject:Cc:To:From:References:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=CBjfMIXa/HaEyrzAKfLZdswg0KUrpr4tkmLV4Z7C9OA=; b=4luoY9BTXaqaTN
	3tNJuqIxCUjnS2izD27vYNimsacXXZkDzEm4M44NlxtnBzPU7Lzry7pr1dGxjois9xcDWMGLyTsp7
	mbH3zI7DxrSR3QieIbra1PbPz2mwIY1U9LafYkVa0RXdm2lUP3v0k5LJK+QHNHwk4CMz0RyJ+EOPo
	4BrWNSZOdD27tBuyr7Uy+c3IrFnLN3qN0L/WhuDJLo5uQ+lWwVttQo2EL4w0crLFd+c/6lfWVhNsO
	1c4hWyiZ17BazVafj4l/sC6fuvuIqQ70xNWA35NCH9qaUyN6zCEUEGNSIOvD9vW5m7cVFDukTb6/9
	ePgTvmnVr0dIwkMlvFkw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux))
	id 1pdUGR-004dBA-1T;
	Sat, 18 Mar 2023 10:58:19 +0000
Received: from mout.kundenserver.de ([212.227.17.13])
	by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux))
	id 1pdUGO-004dAV-1N
	for linux-arm-kernel@lists.infradead.org;
	Sat, 18 Mar 2023 10:58:18 +0000
Received: from maxwell ([93.223.194.227]) by mrelayeu.kundenserver.de
 (mreue109 [213.165.67.113]) with ESMTPSA (Nemesis) id
 1MXp1O-1q0fR01Vro-00Y9ju; Sat, 18 Mar 2023 11:57:54 +0100
References: <20230316075940.695583-1-jh@henneberg-systemdesign.com>
 <20230316075940.695583-2-jh@henneberg-systemdesign.com>
 <20230317222117.3520d4cf@kernel.org>
User-agent: mu4e 1.8.14; emacs 28.2
From: Jochen Henneberg <jh@henneberg-systemdesign.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Giuseppe Cavallaro <peppe.cavallaro@st.com>,
 Alexandre Torgue <alexandre.torgue@foss.st.com>, Jose Abreu
 <joabreu@synopsys.com>, "David S. Miller" <davem@davemloft.net>, Eric
  Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Maxime
  Coquelin <mcoquelin.stm32@gmail.com>, Ong Boon Leong
 <boon.leong.ong@intel.com>, linux-stm32@st-md-mailman.stormreply.com,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net V2 1/2] net: stmmac: Premature loop termination
 check was ignored on rx
Date: Sat, 18 Mar 2023 09:38:12 +0100
In-reply-to: <20230317222117.3520d4cf@kernel.org>
Message-ID: <87sfe2gwd2.fsf@henneberg-systemdesign.com>
MIME-Version: 1.0
X-Provags-ID: V03:K1:11TGBtoqQjv+AJTAzJp+aQPfKm5rdzxYF31OXmoE/4m7y/QexHZ
 a/Qu1irPDxWE50evrxAPbgyV65Ku3G/NBM0wBQX8gpH9tyJIsPDRwAxtGoCIVBuuGlVakRZ
 q54FiRVg1uhcpkpmkHYynHIzgq8kMGWetNcGZwf2RGqWOMHdua28cermriWvuLd1+ujek69
 mPYfghvopY88jwrVg5yMw==
UI-OutboundReport: notjunk:1;M01:P0:umlFYN5+QSM=;ad9WRdUhgzgSHdgR75UnVHH/2SI
 l0Gvrt/FRR5lgIpZN/DaLLQIc2a6D7wGp7+9M3r0glOoVqdyfo2jsTng0jDJFf5yzzafJR2bT
 p4aE1JL2SO2epTwW3COaOdI9v24fc35C6OAkDCRr3mrTTfaeokraXmEkjpjSJ0ibb6JObo6Hr
 pXrhQhyfBx8SU8fcWt9Zn139byMV5JcKsuthCH7I8CMctA16eFnJJcXGshYt7D+sTJ55UOM+t
 ug2tFI/033WBFSq/0M3RKVSICzc4ALIEL8LZ3n+pBPPsKy7ffD3QcgS5dwfyMjza7kza5Wmak
 AB0XHnNU0WMgfKbVnegzomooNhF8qt+/aJdP+rXZhcigulE6Y5S8HSxDdLvvr7pLdgpzd1/7K
 yFTO/EgI+o3vp7QdgcrYeJTx4bbaSpE5+lDJHSp8pxi8NrpAIclT3f+JPyhNQEEhi6SXVxYD5
 ttWMEndjLBf4Kn86iOxGfDYd6lE4sZl79kuIN66WxZn/yb7X7cPIOm2aHHni+E0aKWcAYFajm
 hXk8Rs18LHyhjLGoFd25MrqhgfgDNYBW7nQusyOzh+p4RvuEwifD1FFvCLoiBgW1B9QLTnpZI
 Txdh0HI8uVGeD1xwVSmW6URZoGdxjnCeGoB8Lg0ExsTCI1nB/BuKtqGSJFKsoXwFpSFyPygo2
 xPlZqKXn4m6a/tZqbPeKKj7JsgRtu1eW62IyIwl5cw==
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20230318_035816_771543_1FC44B40 
X-CRM114-Status: GOOD (  18.81  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org


Jakub Kicinski <kuba@kernel.org> writes:

> On Thu, 16 Mar 2023 08:59:39 +0100 Jochen Henneberg wrote:
>> The premature loop termination check makes sense only in case of the
>> jump to read_again where the count may have been updated. But
>> read_again did not include the check.
>> 
>> Fixes: ec222003bd94 ("net: stmmac: Prepare to add Split Header support")
>> Signed-off-by: Jochen Henneberg <jh@henneberg-systemdesign.com>
>> ---
>>  drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
>> index e4902a7bb61e..ea51c7c93101 100644
>> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
>> +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
>> @@ -5221,10 +5221,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
>>  			len = 0;
>>  		}
>>  
>> +read_again:
>>  		if (count >= limit)
>>  			break;
>
> Are you sure? Can you provide more detailed analysis?
> Do you observe a problem / error in real life or is this theoretical?

This is theoretical, I was hunting another bug and just stumbled over
the check which is, I think you agree, pointless right now. I did not
try to force execute that code path.

>
> As far as I can tell only path which jumps to read_again after doing
> count++ is via the drain_data jump, but I can't tell how it's
> discarding subsequent segments in that case..
>
>> -read_again:
>>  		buf1_len = 0;
>>  		buf2_len = 0;
>>  		entry = next_entry;

Correct. The read_again is triggered in case that the segment is not the
last segment of the frame:

		if (likely(status & rx_not_ls))
			goto read_again;

So in case there is no skb (queue error) it will keep increasing count
until the last segment has been found with released device DMA
ownership. So skb will not change while the goto loop is running, the
only thing that will change is that subsequent segments release device
DMA ownership. The dirty buffers are then cleaned up from
stmmac_rx_refill().

I think the driver code is really hard to read I have planned to cleanup
things later, however, this patch simply tries to prevent us from
returning a value greater than limit which could happen and would
definitely be wrong.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel