From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
To: Jijie Shao <shaojijie@huawei.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org,
shenjian15@huawei.com, wangpeiyang1@huawei.com,
liuyonglong@huawei.com, chenhao418@huawei.com,
jonathan.cameron@huawei.com,
shameerali.kolothum.thodi@huawei.com, salil.mehta@huawei.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH RESEND V2 net 6/7] net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue
Date: Wed, 18 Dec 2024 10:29:03 +0100 [thread overview]
Message-ID: <Z2KV37WZL7cpPYKk@mev-dev.igk.intel.com> (raw)
In-Reply-To: <20241217010839.1742227-7-shaojijie@huawei.com>
On Tue, Dec 17, 2024 at 09:08:38AM +0800, Jijie Shao wrote:
> From: Hao Lan <lanhao@huawei.com>
>
> The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs
> 1024-1279 are in different BAR space addresses. However,
> hclge_fetch_pf_reg does not distinguish the tqp space information when
> reading the tqp space information. When the number of TQPs is greater
> than 1024, access bar space overwriting occurs.
> The problem of different segments has been considered during the
> initialization of tqp.io_base. Therefore, tqp.io_base is directly used
> when the queue is read in hclge_fetch_pf_reg.
>
> The error message:
>
> Unable to handle kernel paging request at virtual address ffff800037200000
> pc : hclge_fetch_pf_reg+0x138/0x250 [hclge]
> lr : hclge_get_regs+0x84/0x1d0 [hclge]
> Call trace:
> hclge_fetch_pf_reg+0x138/0x250 [hclge]
> hclge_get_regs+0x84/0x1d0 [hclge]
> hns3_get_regs+0x2c/0x50 [hns3]
> ethtool_get_regs+0xf4/0x270
> dev_ethtool+0x674/0x8a0
> dev_ioctl+0x270/0x36c
> sock_do_ioctl+0x110/0x2a0
> sock_ioctl+0x2ac/0x530
> __arm64_sys_ioctl+0xa8/0x100
> invoke_syscall+0x4c/0x124
> el0_svc_common.constprop.0+0x140/0x15c
> do_el0_svc+0x30/0xd0
> el0_svc+0x1c/0x2c
> el0_sync_handler+0xb0/0xb4
> el0_sync+0x168/0x180
>
> Fixes: 939ccd107ffc ("net: hns3: move dump regs function to a separate file")
> Signed-off-by: Hao Lan <lanhao@huawei.com>
> Signed-off-by: Jijie Shao <shaojijie@huawei.com>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c | 9 +++++----
> .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c | 9 +++++----
> 2 files changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> index 43c1c18fa81f..8c057192aae6 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c
> @@ -510,9 +510,9 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
> static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data,
> struct hnae3_knic_private_info *kinfo)
> {
> -#define HCLGE_RING_REG_OFFSET 0x200
> #define HCLGE_RING_INT_REG_OFFSET 0x4
>
> + struct hnae3_queue *tqp;
> int i, j, reg_num;
> int data_num_sum;
> u32 *reg = data;
> @@ -533,10 +533,11 @@ static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data,
> reg_num = ARRAY_SIZE(ring_reg_addr_list);
> for (j = 0; j < kinfo->num_tqps; j++) {
You can define struct hnae3_queue *tqp here to limit the scope
(same in VF case).
> reg += hclge_reg_get_tlv(HCLGE_REG_TAG_RING, reg_num, reg);
> + tqp = kinfo->tqp[j];
> for (i = 0; i < reg_num; i++)
> - *reg++ = hclge_read_dev(&hdev->hw,
> - ring_reg_addr_list[i] +
> - HCLGE_RING_REG_OFFSET * j);
> + *reg++ = readl_relaxed(tqp->io_base -
> + HCLGE_TQP_REG_OFFSET +
> + ring_reg_addr_list[i]);
> }
> data_num_sum += (reg_num + HCLGE_REG_TLV_SPACE) * kinfo->num_tqps;
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> index 6db415d8b917..7d9d9dbc7560 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c
> @@ -123,10 +123,10 @@ int hclgevf_get_regs_len(struct hnae3_handle *handle)
> void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version,
> void *data)
> {
> -#define HCLGEVF_RING_REG_OFFSET 0x200
> #define HCLGEVF_RING_INT_REG_OFFSET 0x4
>
> struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle);
> + struct hnae3_queue *tqp;
> int i, j, reg_um;
> u32 *reg = data;
>
> @@ -147,10 +147,11 @@ void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version,
> reg_um = ARRAY_SIZE(ring_reg_addr_list);
> for (j = 0; j < hdev->num_tqps; j++) {
> reg += hclgevf_reg_get_tlv(HCLGEVF_REG_TAG_RING, reg_um, reg);
> + tqp = &hdev->htqp[j].q;
> for (i = 0; i < reg_um; i++)
> - *reg++ = hclgevf_read_dev(&hdev->hw,
> - ring_reg_addr_list[i] +
> - HCLGEVF_RING_REG_OFFSET * j);
> + *reg++ = readl_relaxed(tqp->io_base -
> + HCLGEVF_TQP_REG_OFFSET +
> + ring_reg_addr_list[i]);
> }
>
> reg_um = ARRAY_SIZE(tqp_intr_reg_addr_list);
> --
> 2.33.0
next prev parent reply other threads:[~2024-12-18 9:32 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 1:08 [PATCH RESEND V2 net 0/7] There are some bugfix for the HNS3 ethernet driver Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 1/7] net: hns3: fixed reset failure issues caused by the incorrect reset type Jijie Shao
2024-12-18 9:02 ` Michal Swiatkowski
2024-12-19 9:41 ` Paolo Abeni
2024-12-19 10:11 ` Michal Swiatkowski
2024-12-19 10:43 ` Paolo Abeni
2024-12-19 12:26 ` Jijie Shao
2025-01-06 14:41 ` Jijie Shao
2024-12-19 10:13 ` Michal Swiatkowski
2024-12-19 12:18 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 2/7] net: hns3: fix missing features due to dev->features configuration too early Jijie Shao
2024-12-18 9:16 ` Michal Swiatkowski
2024-12-17 1:08 ` [PATCH RESEND V2 net 3/7] net: hns3: Resolved the issue that the debugfs query result is inconsistent Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 4/7] net: hns3: don't auto enable misc vector Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 5/7] net: hns3: initialize reset_timer before hclgevf_misc_irq_init() Jijie Shao
2024-12-18 9:20 ` Michal Swiatkowski
2024-12-19 11:48 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 6/7] net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue Jijie Shao
2024-12-18 9:29 ` Michal Swiatkowski [this message]
2024-12-19 9:51 ` Paolo Abeni
2024-12-19 10:23 ` Michal Swiatkowski
2024-12-19 11:52 ` Jijie Shao
2024-12-17 1:08 ` [PATCH RESEND V2 net 7/7] net: hns3: fix kernel crash when 1588 is sent on HIP08 devices Jijie Shao
2024-12-18 9:30 ` Michal Swiatkowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z2KV37WZL7cpPYKk@mev-dev.igk.intel.com \
--to=michal.swiatkowski@linux.intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=chenhao418@huawei.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jonathan.cameron@huawei.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liuyonglong@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=salil.mehta@huawei.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=shaojijie@huawei.com \
--cc=shenjian15@huawei.com \
--cc=wangpeiyang1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).