From: Vadim Fedorenko <vadfed@meta.com>
To: Aya Levin <ayal@nvidia.com>, Saeed Mahameed <saeedm@nvidia.com>,
"Jakub Kicinski" <kuba@kernel.org>
Cc: Vadim Fedorenko <vadfed@meta.com>, <netdev@vger.kernel.org>
Subject: [PATCH net 1/2] mlx5: fix possible ptp queue fifo overflow
Date: Sun, 22 Jan 2023 08:16:01 -0800 [thread overview]
Message-ID: <20230122161602.1958577-2-vadfed@meta.com> (raw)
In-Reply-To: <20230122161602.1958577-1-vadfed@meta.com>
Fifo pointers are not checked for overflow and this could potentially
lead to overflow and double free under heavy PTP traffic.
Also there were accidental OOO cqe which lead to absolutely broken fifo.
Add checks to workaround OOO cqe and add counters to show the amount of
such events.
Fixes: 19b43a432e3e ("net/mlx5e: Extend SKB room check to include PTP-SQ")
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
---
.../net/ethernet/mellanox/mlx5/core/en/ptp.c | 28 ++++++++++++++-----
.../net/ethernet/mellanox/mlx5/core/en/txrx.h | 6 +++-
.../ethernet/mellanox/mlx5/core/en_stats.c | 2 ++
.../ethernet/mellanox/mlx5/core/en_stats.h | 2 ++
4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
index 903de88bab53..11a99e0f00c6 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
@@ -86,20 +86,31 @@ static bool mlx5e_ptp_ts_cqe_drop(struct mlx5e_ptpsq *ptpsq, u16 skb_cc, u16 skb
return (ptpsq->ts_cqe_ctr_mask && (skb_cc != skb_id));
}
-static void mlx5e_ptp_skb_fifo_ts_cqe_resync(struct mlx5e_ptpsq *ptpsq, u16 skb_cc, u16 skb_id)
+static bool mlx5e_ptp_skb_fifo_ts_cqe_resync(struct mlx5e_ptpsq *ptpsq, u16 skb_cc, u16 skb_id)
{
struct skb_shared_hwtstamps hwts = {};
struct sk_buff *skb;
ptpsq->cq_stats->resync_event++;
- while (skb_cc != skb_id) {
- skb = mlx5e_skb_fifo_pop(&ptpsq->skb_fifo);
+ if (skb_cc > skb_id || PTP_WQE_CTR2IDX(ptpsq->skb_fifo_pc) < skb_id) {
+ ptpsq->cq_stats->ooo_cqe++;
+ return false;
+ }
+
+ while (skb_cc != skb_id && (skb = mlx5e_skb_fifo_pop(&ptpsq->skb_fifo))) {
hwts.hwtstamp = mlx5e_skb_cb_get_hwts(skb)->cqe_hwtstamp;
skb_tstamp_tx(skb, &hwts);
ptpsq->cq_stats->resync_cqe++;
skb_cc = PTP_WQE_CTR2IDX(ptpsq->skb_fifo_cc);
}
+
+ if (!skb) {
+ ptpsq->cq_stats->fifo_empty++;
+ return false;
+ }
+
+ return true;
}
static void mlx5e_ptp_handle_ts_cqe(struct mlx5e_ptpsq *ptpsq,
@@ -109,7 +120,7 @@ static void mlx5e_ptp_handle_ts_cqe(struct mlx5e_ptpsq *ptpsq,
u16 skb_id = PTP_WQE_CTR2IDX(be16_to_cpu(cqe->wqe_counter));
u16 skb_cc = PTP_WQE_CTR2IDX(ptpsq->skb_fifo_cc);
struct mlx5e_txqsq *sq = &ptpsq->txqsq;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
ktime_t hwtstamp;
if (unlikely(MLX5E_RX_ERR_CQE(cqe))) {
@@ -118,8 +129,10 @@ static void mlx5e_ptp_handle_ts_cqe(struct mlx5e_ptpsq *ptpsq,
goto out;
}
- if (mlx5e_ptp_ts_cqe_drop(ptpsq, skb_cc, skb_id))
- mlx5e_ptp_skb_fifo_ts_cqe_resync(ptpsq, skb_cc, skb_id);
+ if (mlx5e_ptp_ts_cqe_drop(ptpsq, skb_cc, skb_id) &&
+ !mlx5e_ptp_skb_fifo_ts_cqe_resync(ptpsq, skb_cc, skb_id)) {
+ goto out;
+ }
skb = mlx5e_skb_fifo_pop(&ptpsq->skb_fifo);
hwtstamp = mlx5e_cqe_ts_to_ns(sq->ptp_cyc2time, sq->clock, get_cqe_ts(cqe));
@@ -128,7 +141,8 @@ static void mlx5e_ptp_handle_ts_cqe(struct mlx5e_ptpsq *ptpsq,
ptpsq->cq_stats->cqe++;
out:
- napi_consume_skb(skb, budget);
+ if (skb)
+ napi_consume_skb(skb, budget);
}
static bool mlx5e_ptp_poll_ts_cq(struct mlx5e_cq *cq, int budget)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h
index aeed165a2dec..0bd2dd694f04 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h
@@ -81,7 +81,7 @@ void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq);
static inline bool
mlx5e_skb_fifo_has_room(struct mlx5e_skb_fifo *fifo)
{
- return (*fifo->pc - *fifo->cc) < fifo->mask;
+ return (u16)(*fifo->pc - *fifo->cc) < fifo->mask;
}
static inline bool
@@ -291,12 +291,16 @@ void mlx5e_skb_fifo_push(struct mlx5e_skb_fifo *fifo, struct sk_buff *skb)
{
struct sk_buff **skb_item = mlx5e_skb_fifo_get(fifo, (*fifo->pc)++);
+ WARN_ONCE((u16)(*fifo->pc - *fifo->cc) > fifo->mask, "%s overflow", __func__);
*skb_item = skb;
}
static inline
struct sk_buff *mlx5e_skb_fifo_pop(struct mlx5e_skb_fifo *fifo)
{
+ if (*fifo->pc == *fifo->cc)
+ return NULL;
+
return *mlx5e_skb_fifo_get(fifo, (*fifo->cc)++);
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
index 7c5b17c917a5..dffcba42af83 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
@@ -2119,6 +2119,8 @@ static const struct counter_desc ptp_cq_stats_desc[] = {
{ MLX5E_DECLARE_PTP_CQ_STAT(struct mlx5e_ptp_cq_stats, abort_abs_diff_ns) },
{ MLX5E_DECLARE_PTP_CQ_STAT(struct mlx5e_ptp_cq_stats, resync_cqe) },
{ MLX5E_DECLARE_PTP_CQ_STAT(struct mlx5e_ptp_cq_stats, resync_event) },
+ { MLX5E_DECLARE_PTP_CQ_STAT(struct mlx5e_ptp_cq_stats, ooo_cqe) },
+ { MLX5E_DECLARE_PTP_CQ_STAT(struct mlx5e_ptp_cq_stats, fifo_empty) },
};
static const struct counter_desc ptp_rq_stats_desc[] = {
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
index edbf177f3c69..4e58ab49017d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
@@ -457,6 +457,8 @@ struct mlx5e_ptp_cq_stats {
u64 abort_abs_diff_ns;
u64 resync_cqe;
u64 resync_event;
+ u64 ooo_cqe;
+ u64 fifo_empty;
};
struct mlx5e_stats {
--
2.30.2
next prev parent reply other threads:[~2023-01-22 16:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-22 16:16 [PATCH net 0/2] mlx5: bugfixes for ptp fifo queue Vadim Fedorenko
2023-01-22 16:16 ` Vadim Fedorenko [this message]
2023-01-23 7:20 ` [PATCH net 1/2] mlx5: fix possible ptp queue fifo overflow Leon Romanovsky
2023-01-23 14:19 ` Vadim Fedorenko
2023-01-23 12:32 ` Gal Pressman
2023-01-23 23:49 ` Vadim Fedorenko
2023-01-23 17:24 ` Vadim Fedorenko
2023-01-24 14:39 ` Gal Pressman
2023-01-24 15:09 ` Vadim Fedorenko
2023-01-25 14:42 ` Vadim Fedorenko
2023-01-25 20:33 ` Saeed Mahameed
2023-01-25 21:24 ` Vadim Fedorenko
2023-01-22 16:16 ` [PATCH net 2/2] mlx5: fix skb leak while fifo resync Vadim Fedorenko
2023-01-23 12:38 ` Gal Pressman
2023-01-23 16:52 ` Vadim Fedorenko
2023-01-24 2:03 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230122161602.1958577-2-vadfed@meta.com \
--to=vadfed@meta.com \
--cc=ayal@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=saeedm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).