Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3244722ioa; Mon, 25 Apr 2022 22:44:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzI8rFWFIbucMK7FShSI0XuEgg/rfhLPEyU+/0UrQRgoGEn55p8cMSlrIACp7f8mH2K80z1 X-Received: by 2002:a05:6402:5286:b0:425:f0fb:5d23 with SMTP id en6-20020a056402528600b00425f0fb5d23mr6320183edb.243.1650951851096; Mon, 25 Apr 2022 22:44:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650951851; cv=none; d=google.com; s=arc-20160816; b=bj3nzTLJw+y6I9G+FRBEWng9p75wfkzoFyaR1WkaN0WOZB+PIeyqEwivedHNp3rN2k YBorI2ear8vT6nYllR+0JXpUhD8Ms58LYU4hlDNmj8A6nkmB3xor0ZXX+YRLNb7i4g89 gIrmW7tQx02qhizDufiAwj1RsbqH61Dr7uKx2yLL4h6RNHJTO9taINSjUXneiNE28nTh JllFttMXt2GH4doTtVB1hEx7ndxx2xCFn+CYp7hNb6IDt62PzoiIlRz6dFfs7K86pLHZ EV+yctzQGPcXr1v7fu/Gte/r4r+VZSbrGGlk+fS9Nj0zmBXm8LDKS6Y4Twnkp2jvToha SGcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=MJuuYIyWr75+wIHZvavej9Axy9mhg9QwfnL0wCWjcS4=; b=e0AJk/Bhdz7gis406yJzirvXKFopaJ8BV3mY8DiH9p3s9OLv1sPE45T6CvnPr4vBCi Pnw6KmSwDKRmFMug/4aJd1EFe0PjN1xmQk1xqdnlJzmqJ/M6hnMa5E5yj35Vtm+ynGdl BB/Q91XCTLPEPqYcKmNkvI7WPkI2VZSHHOuWFIUNy0VPjhMxqjfEM5QBUdVrJWNA1Me9 FdY/CI4bptK5qbMg+f4kwkOONSSZCW2r6ExG/qvBtPzgFG78p8gcSVjBdfvIZRrQ+YvZ szYCYLZ5VSolar8wLrcMAZ0eqOA5Gjeik7/0y/hmQIwbn4bC77a+WQ3Ix4YtP4f+pB9M QZ9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MABzszZS; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x15-20020a05640226cf00b00425f7f0fba4si1828385edd.51.2022.04.25.22.43.54; Mon, 25 Apr 2022 22:44:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MABzszZS; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236748AbiDYXzU (ORCPT + 67 others); Mon, 25 Apr 2022 19:55:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229717AbiDYXzS (ORCPT ); Mon, 25 Apr 2022 19:55:18 -0400 Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BAD514131D; Mon, 25 Apr 2022 16:52:11 -0700 (PDT) Received: by mail-ua1-x92b.google.com with SMTP id g22so6250878uam.12; Mon, 25 Apr 2022 16:52:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=MJuuYIyWr75+wIHZvavej9Axy9mhg9QwfnL0wCWjcS4=; b=MABzszZSXdvaMqHRHCXau39VM7pdz9DdBWdJTqWgOQM/IdAogvMNK8b+iBPAsTA8A7 Ib67af5u5lW+SaujfJXxxRnG6YE6+YxVOShjEuqNTFwGyzY+B6/qt/X4RMY/53oWchm7 er9wZnoAzQLQ7EbZRKDOaXWjR7OvIS5aeu3+Q1SlXYxQcG0DPQdrwTnYqNOhMz6oU8h9 ysETh+zIYApdlAf0dkqkmwQLl8Y8XOYNyi0Q7Z3PfRKAAr1+iQbrBmQNBFUK2P3bfbM5 Pu5X/Ij3ggdWOfmTnsShIR/p8+ze3n/zuBpK7fM7RHEsfl5C4LFWVkB7uM5vfxoY1UBm 3+XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=MJuuYIyWr75+wIHZvavej9Axy9mhg9QwfnL0wCWjcS4=; b=tC7vGLl7xMOODXFG60sV6DVHTUqX/NpLzBHkt7N7Nr4v+6kiuG6RFlbyHGeBFkz2B+ oWa8n0P3H42cyiXehkGPcoztEqWd3G6Vg/aExQNBFvw17P+SKbDSiryb3xVLxLX6E14H KwVUqQd7GB8Qp8OF8SxFhoErgvvgVKeONHQws8chXZzXqn/Mr0LRVlkeHKTKgjcpInl9 WCYqNRAlUf6L/MB7mhtB43qzqtl3tGZNPPYJ4D2lLTRaL+K0JVHRGnP0Mk354B+3IdRH DiMLaqXzwpSkEtrd88MRUTRN6ayS0Ns9DfZRbnGePfxZS4xF2CFeAxAHW+jwsCCjyxZ5 9keg== X-Gm-Message-State: AOAM5338CcbwmUQD7o/Tr37gQVgqR8UpXWcMbem6GvbAuiicMltzrvBD wC7SVsz48O+dXgV3fBI+MdmXhJPPQ7ZLIkSGEIvPsqRiiAw= X-Received: by 2002:ab0:7290:0:b0:34b:71ac:96c2 with SMTP id w16-20020ab07290000000b0034b71ac96c2mr6176916uao.102.1650930730784; Mon, 25 Apr 2022 16:52:10 -0700 (PDT) MIME-Version: 1.0 References: <20220407223629.21487-1-ricardo.martinez@linux.intel.com> <20220407223629.21487-3-ricardo.martinez@linux.intel.com> In-Reply-To: <20220407223629.21487-3-ricardo.martinez@linux.intel.com> From: Sergey Ryazanov Date: Tue, 26 Apr 2022 02:52:10 +0300 Message-ID: Subject: Re: [PATCH net-next v6 02/13] net: wwan: t7xx: Add control DMA interface To: Ricardo Martinez Cc: netdev@vger.kernel.org, linux-wireless@vger.kernel.org, Jakub Kicinski , David Miller , Johannes Berg , Loic Poulain , M Chetan Kumar , chandrashekar.devegowda@intel.com, Intel Corporation , chiranjeevi.rapolu@linux.intel.com, =?UTF-8?B?SGFpanVuIExpdSAo5YiY5rW35YabKQ==?= , amir.hanania@intel.com, Andy Shevchenko , dinesh.sharma@intel.com, eliot.lee@intel.com, ilpo.johannes.jarvinen@intel.com, moises.veleta@intel.com, pierre-louis.bossart@intel.com, muralidharan.sethuraman@intel.com, Soumya.Prakash.Mishra@intel.com, sreehari.kancharla@intel.com, madhusmita.sahu@intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, Apr 8, 2022 at 1:37 AM Ricardo Martinez wrote: > Cross Layer DMA (CLDMA) Hardware interface (HIF) enables the control > path of Host-Modem data transfers. CLDMA HIF layer provides a common > interface to the Port Layer. > > CLDMA manages 8 independent RX/TX physical channels with data flow > control in HW queues. CLDMA uses ring buffers of General Packet > Descriptors (GPD) for TX/RX. GPDs can represent multiple or single > data buffers (DB). > > CLDMA HIF initializes GPD rings, registers ISR handlers for CLDMA > interrupts, and initializes CLDMA HW registers. > > CLDMA TX flow: > 1. Port Layer write > 2. Get DB address > 3. Configure GPD > 4. Triggering processing via HW register write > > CLDMA RX flow: > 1. CLDMA HW sends a RX "done" to host > 2. Driver starts thread to safely read GPD > 3. DB is sent to Port layer > 4. Create a new buffer for GPD ring > > Note: This patch does not enable compilation since it has dependencies > such as t7xx_pcie_mac_clear_int()/t7xx_pcie_mac_set_int() and > struct t7xx_pci_dev which are added by the core patch. > > Signed-off-by: Haijun Liu > Signed-off-by: Chandrashekar Devegowda > Co-developed-by: Ricardo Martinez > Signed-off-by: Ricardo Martinez > > From a WWAN framework perspective: > Reviewed-by: Loic Poulain > > Reviewed-by: Ilpo J=C3=A4rvinen [skipped] > diff --git a/drivers/net/wwan/t7xx/t7xx_hif_cldma.c b/drivers/net/wwan/t7= xx/t7xx_hif_cldma.c [skipped] > +static int t7xx_cldma_gpd_rx_from_q(struct cldma_queue *queue, int budge= t, bool *over_budget) > +{ > + struct cldma_ctrl *md_ctrl =3D queue->md_ctrl; > + unsigned int hwo_polling_count =3D 0; > + struct t7xx_cldma_hw *hw_info; > + bool rx_not_done =3D true; > + unsigned long flags; > + int count =3D 0; > + > + hw_info =3D &md_ctrl->hw_info; > + > + do { > + struct cldma_request *req; > + struct cldma_rgpd *rgpd; > + struct sk_buff *skb; > + int ret; > + > + req =3D queue->tr_done; > + if (!req) > + return -ENODATA; > + > + rgpd =3D req->gpd; > + if ((rgpd->gpd_flags & GPD_FLAGS_HWO) || !req->skb) { > + dma_addr_t gpd_addr; > + > + if (!pci_device_is_present(to_pci_dev(md_ctrl->de= v))) { > + dev_err(md_ctrl->dev, "PCIe Link disconne= cted\n"); > + return -ENODEV; > + } > + > + gpd_addr =3D ioread64(hw_info->ap_pdn_base + REG_= CLDMA_DL_CURRENT_ADDRL_0 + > + queue->index * sizeof(u64)); > + if (req->gpd_addr =3D=3D gpd_addr || hwo_polling_= count++ >=3D 100) > + return 0; > + > + udelay(1); > + continue; > + } > + > + hwo_polling_count =3D 0; > + skb =3D req->skb; > + > + if (req->mapped_buff) { > + dma_unmap_single(md_ctrl->dev, req->mapped_buff, > + t7xx_skb_data_area_size(skb), DM= A_FROM_DEVICE); > + req->mapped_buff =3D 0; > + } > + > + skb->len =3D 0; > + skb_reset_tail_pointer(skb); > + skb_put(skb, le16_to_cpu(rgpd->data_buff_len)); > + > + ret =3D md_ctrl->recv_skb(queue, skb); > + if (ret < 0) > + return ret; The execution flow can not be broken here even in case of error. The .recv_skb() callback consumes (frees) skb even if there is an error. But the skb field in req (struct cldma_request) will keep the skb pointer if the function returns from here. And this stale skb pointer will cause a use-after-free or double-free error. I have not dug too deeply into the CLDMA layer and can not suggest any solution. But the error handling path needs to be rechecked. > + req->skb =3D NULL; > + t7xx_cldma_rgpd_set_data_ptr(rgpd, 0); > + > + spin_lock_irqsave(&queue->ring_lock, flags); > + queue->tr_done =3D list_next_entry_circular(req, &queue->= tr_ring->gpd_ring, entry); > + spin_unlock_irqrestore(&queue->ring_lock, flags); > + req =3D queue->rx_refill; > + > + ret =3D t7xx_cldma_alloc_and_map_skb(md_ctrl, req, queue-= >tr_ring->pkt_size); > + if (ret) > + return ret; > + > + rgpd =3D req->gpd; > + t7xx_cldma_rgpd_set_data_ptr(rgpd, req->mapped_buff); > + rgpd->data_buff_len =3D 0; > + rgpd->gpd_flags =3D GPD_FLAGS_IOC | GPD_FLAGS_HWO; > + > + spin_lock_irqsave(&queue->ring_lock, flags); > + queue->rx_refill =3D list_next_entry_circular(req, &queue= ->tr_ring->gpd_ring, entry); > + spin_unlock_irqrestore(&queue->ring_lock, flags); > + > + rx_not_done =3D ++count < budget || !need_resched(); > + } while (rx_not_done); > + > + *over_budget =3D true; > + return 0; > +} -- Sergey