LinuxLists.cc - [PATCH net 0/2] net: ipa: fix page free in two spots

2022-05-23 05:44:20

Subject: [PATCH net 0/2] net: ipa: fix page free in two spots

When a receive buffer is not wrapped in an SKB and passed to the
network stack, the (compound) page gets freed within the IPA driver.
This is currently quite rare.

The pages are freed using __free_pages(), but they should instead be
freed using page_put(). This series fixes this, in two spots.

These patches work for Linux v5.18-rc7 and v5.17.y, but won't apply
cleanly to earlier stable branches. (Nevertheless, the fix is
trivial.)

-Alex

Alex Elder (2):
net: ipa: fix page free in ipa_endpoint_trans_release()
net: ipa: fix page free in ipa_endpoint_replenish_one()

drivers/net/ipa/ipa_endpoint.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)

--
2.32.0

2022-05-23 06:29:55

by David Miller

[permalink] [raw]

Subject: Re: [PATCH net 0/2] net: ipa: fix page free in two spots

From: Alex Elder <[email protected]>
Date: Sat, 21 May 2022 19:59:57 -0500

> When a receive buffer is not wrapped in an SKB and passed to the
> network stack, the (compound) page gets freed within the IPA driver.
> This is currently quite rare.
>
> The pages are freed using __free_pages(), but they should instead be
> freed using page_put(). This series fixes this, in two spots.
>
> These patches work for Linux v5.18-rc7 and v5.17.y, but won't apply
> cleanly to earlier stable branches. (Nevertheless, the fix is
> trivial.)

This does not apply to the current net tree, please respin.

Thank you.

2022-05-23 06:35:05

by Alex Elder

[permalink] [raw]

Subject: [PATCH net 1/2] net: ipa: fix page free in ipa_endpoint_trans_release()

Currently the (possibly compound) page used for receive buffers are
freed using __free_pages(). But according to this comment above the
definition of that function, that's wrong:
If you want to use the page's reference count to decide when
to free the allocation, you should allocate a compound page,
and use put_page() instead of __free_pages().

Convert the call to __free_pages() in ipa_endpoint_trans_release()
to use put_page() instead.

Fixes: ed23f02680caa ("net: ipa: define per-endpoint receive buffer size")
Signed-off-by: Alex Elder <[email protected]>
---
drivers/net/ipa/ipa_endpoint.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ipa/ipa_endpoint.c b/drivers/net/ipa/ipa_endpoint.c
index 0f489723689c5..675b7135644b8 100644
--- a/drivers/net/ipa/ipa_endpoint.c
+++ b/drivers/net/ipa/ipa_endpoint.c
@@ -1385,11 +1385,8 @@ void ipa_endpoint_trans_release(struct ipa_endpoint *endpoint,
} else {
struct page *page = trans->data;

- if (page) {
- u32 buffer_size = endpoint->config.rx.buffer_size;
-
- __free_pages(page, get_order(buffer_size));
- }
+ if (page)
+ put_page(page);
}
}

--
2.32.0