patch 'net/cxgbe: fix dangling pointer by mailbox access rework' has been queued to stable release 21.11.1

Kevin Traynor ktraynor at redhat.com
Mon Feb 21 16:34:23 CET 2022 

Hi,

FYI, your patch has been queued to stable release 21.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/26/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/699c30f8534c136926df9b6fb5b97ed06c1f34a0

Thanks.

Kevin

---
>From 699c30f8534c136926df9b6fb5b97ed06c1f34a0 Mon Sep 17 00:00:00 2001
From: Rahul Lakkireddy <rahul.lakkireddy at chelsio.com>
Date: Thu, 20 Jan 2022 03:26:40 +0530
Subject: [PATCH] net/cxgbe: fix dangling pointer by mailbox access rework
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[ upstream commit 19cafed99ac573662045424e559cee444c175b63 ]

Rework mailbox access serialization to dynamically allocate and
free mbox entry. Also remove unnecessary temp memory and macros.

Observed with: gcc-12.0 (GCC) 12.0.1 20220118 (experimental)

In file included from ../lib/eal/linux/include/rte_os.h:14,
                 from ../lib/eal/include/rte_common.h:28,
                 from ../lib/eal/include/rte_log.h:25,
                 from ../lib/ethdev/rte_ethdev.h:164,
                 from ../lib/ethdev/ethdev_driver.h:18,
                 from ../drivers/net/cxgbe/base/t4vf_hw.c:6:
In function ‘t4_os_atomic_add_tail’,
    inlined from ‘t4vf_wr_mbox_core’ at
	../drivers/net/cxgbe/base/t4vf_hw.c:115:2:
../drivers/net/cxgbe/base/adapter.h:742:9:
      warning: storing the address of local variable ‘entry’ in
      ‘((struct mbox_list *)adapter)[96].tqh_last’ [-Wdangling-pointer=]
  742 |         TAILQ_INSERT_TAIL(head, entry, next);
      |         ^~~~~~~~~~~~~~~~~
../drivers/net/cxgbe/base/t4vf_hw.c: In function ‘t4vf_wr_mbox_core’:
../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘entry’ declared here
   86 |         struct mbox_entry entry;
      |                           ^~~~~
../drivers/net/cxgbe/base/t4vf_hw.c:86:27: note: ‘adapter’ declared here

Fixes: 3bd122eef2cc ("cxgbe/base: add hardware API for Chelsio T5 series adapters")

Reported-by: Ferruh Yigit <ferruh.yigit at intel.com>
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy at chelsio.com>
---
 drivers/net/cxgbe/base/adapter.h |  2 -
 drivers/net/cxgbe/base/t4_hw.c   | 83 ++++++++++++--------------------
 drivers/net/cxgbe/base/t4vf_hw.c | 28 +++++++----
 3 files changed, 49 insertions(+), 64 deletions(-)

diff --git a/drivers/net/cxgbe/base/adapter.h b/drivers/net/cxgbe/base/adapter.h
index 1c7c8afe16..97963422bf 100644
--- a/drivers/net/cxgbe/base/adapter.h
+++ b/drivers/net/cxgbe/base/adapter.h
@@ -292,6 +292,4 @@ struct sge {
 };
 
-#define T4_OS_NEEDS_MBOX_LOCKING 1
-
 /*
  * OS Lock/List primitives for those interfaces in the Common Code which
diff --git a/drivers/net/cxgbe/base/t4_hw.c b/drivers/net/cxgbe/base/t4_hw.c
index cdcd7e5510..645833765a 100644
--- a/drivers/net/cxgbe/base/t4_hw.c
+++ b/drivers/net/cxgbe/base/t4_hw.c
@@ -264,15 +264,4 @@ static void fw_asrt(struct adapter *adap, u32 mbox_addr)
 #define X_CIM_PF_NOACCESS 0xeeeeeeee
 
-/*
- * If the Host OS Driver needs locking arround accesses to the mailbox, this
- * can be turned on via the T4_OS_NEEDS_MBOX_LOCKING CPP define ...
- */
-/* makes single-statement usage a bit cleaner ... */
-#ifdef T4_OS_NEEDS_MBOX_LOCKING
-#define T4_OS_MBOX_LOCKING(x) x
-#else
-#define T4_OS_MBOX_LOCKING(x) do {} while (0)
-#endif
-
 /**
  * t4_wr_mbox_meat_timeout - send a command to FW through the given mailbox
@@ -315,26 +304,15 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	};
 
-	u32 v;
-	u64 res;
-	int i, ms;
-	unsigned int delay_idx;
-	__be64 *temp = (__be64 *)malloc(size * sizeof(char));
-	__be64 *p = temp;
 	u32 data_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_DATA);
 	u32 ctl_reg = PF_REG(mbox, A_CIM_PF_MAILBOX_CTRL);
-	u32 ctl;
-	struct mbox_entry entry;
-	u32 pcie_fw = 0;
+	struct mbox_entry *entry;
+	u32 v, ctl, pcie_fw = 0;
+	unsigned int delay_idx;
+	const __be64 *p;
+	int i, ms, ret;
+	u64 res;
 
-	if (!temp)
-		return -ENOMEM;
-
-	if ((size & 15) || size > MBOX_LEN) {
-		free(temp);
+	if ((size & 15) != 0 || size > MBOX_LEN)
 		return -EINVAL;
-	}
-
-	memset(p, 0, size);
-	memcpy(p, (const __be64 *)cmd, size);
 
 	/*
@@ -346,5 +324,8 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	}
 
-#ifdef T4_OS_NEEDS_MBOX_LOCKING
+	entry = t4_os_alloc(sizeof(*entry));
+	if (entry == NULL)
+		return -ENOMEM;
+
 	/*
 	 * Queue ourselves onto the mailbox access list.  When our entry is at
@@ -353,5 +334,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	 * EBUSY] ...
 	 */
-	t4_os_atomic_add_tail(&entry, &adap->mbox_list, &adap->mbox_lock);
+	t4_os_atomic_add_tail(entry, &adap->mbox_list, &adap->mbox_lock);
 
 	delay_idx = 0;
@@ -368,9 +349,9 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 		pcie_fw = t4_read_reg(adap, A_PCIE_FW);
 		if (i > 4 * timeout || (pcie_fw & F_PCIE_FW_ERR)) {
-			t4_os_atomic_list_del(&entry, &adap->mbox_list,
+			t4_os_atomic_list_del(entry, &adap->mbox_list,
 					      &adap->mbox_lock);
 			t4_report_fw_error(adap);
-			free(temp);
-			return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -EBUSY;
+			ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -EBUSY;
+			goto out_free;
 		}
 
@@ -379,5 +360,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 		 * protocol.
 		 */
-		if (t4_os_list_first_entry(&adap->mbox_list) == &entry)
+		if (t4_os_list_first_entry(&adap->mbox_list) == entry)
 			break;
 
@@ -394,5 +375,4 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 		}
 	}
-#endif /* T4_OS_NEEDS_MBOX_LOCKING */
 
 	/*
@@ -411,10 +391,9 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	 */
 	if (v != X_MBOWNER_PL) {
-		T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry,
-							 &adap->mbox_list,
-							 &adap->mbox_lock));
+		t4_os_atomic_list_del(entry, &adap->mbox_list,
+				      &adap->mbox_lock);
 		t4_report_fw_error(adap);
-		free(temp);
-		return (v == X_MBOWNER_FW ? -EBUSY : -ETIMEDOUT);
+		ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT;
+		goto out_free;
 	}
 
@@ -442,5 +421,5 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	 * Copy in the new mailbox command and send it on its way ...
 	 */
-	for (i = 0; i < size; i += 8, p++)
+	for (i = 0, p = cmd; i < size; i += 8, p++)
 		t4_write_reg64(adap, data_reg + i, be64_to_cpu(*p));
 
@@ -513,9 +492,8 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 			}
 			t4_write_reg(adap, ctl_reg, V_MBOWNER(X_MBOWNER_NONE));
-			T4_OS_MBOX_LOCKING(
-				t4_os_atomic_list_del(&entry, &adap->mbox_list,
-						      &adap->mbox_lock));
-			free(temp);
-			return -G_FW_CMD_RETVAL((int)res);
+			t4_os_atomic_list_del(entry, &adap->mbox_list,
+					      &adap->mbox_lock);
+			ret = -G_FW_CMD_RETVAL((int)res);
+			goto out_free;
 		}
 	}
@@ -528,10 +506,11 @@ int t4_wr_mbox_meat_timeout(struct adapter *adap, int mbox,
 	dev_err(adap, "command %#x in mailbox %d timed out\n",
 		*(const u8 *)cmd, mbox);
-	T4_OS_MBOX_LOCKING(t4_os_atomic_list_del(&entry,
-						 &adap->mbox_list,
-						 &adap->mbox_lock));
+	t4_os_atomic_list_del(entry, &adap->mbox_list, &adap->mbox_lock);
 	t4_report_fw_error(adap);
-	free(temp);
-	return (pcie_fw & F_PCIE_FW_ERR) ? -ENXIO : -ETIMEDOUT;
+	ret = ((pcie_fw & F_PCIE_FW_ERR) != 0) ? -ENXIO : -ETIMEDOUT;
+
+out_free:
+	t4_os_free(entry);
+	return ret;
 }
 
diff --git a/drivers/net/cxgbe/base/t4vf_hw.c b/drivers/net/cxgbe/base/t4vf_hw.c
index 561d759dbc..7dbd4deb79 100644
--- a/drivers/net/cxgbe/base/t4vf_hw.c
+++ b/drivers/net/cxgbe/base/t4vf_hw.c
@@ -84,5 +84,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 	u32 mbox_ctl = T4VF_CIM_BASE_ADDR + A_CIM_VF_EXT_MAILBOX_CTRL;
 	__be64 cmd_rpl[MBOX_LEN / 8];
-	struct mbox_entry entry;
+	struct mbox_entry *entry;
 	unsigned int delay_idx;
 	u32 v, mbox_data;
@@ -107,4 +107,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 		return -EINVAL;
 
+	entry = t4_os_alloc(sizeof(*entry));
+	if (entry == NULL)
+		return -ENOMEM;
+
 	/*
 	 * Queue ourselves onto the mailbox access list.  When our entry is at
@@ -113,5 +117,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 	 * EBUSY] ...
 	 */
-	t4_os_atomic_add_tail(&entry, &adapter->mbox_list, &adapter->mbox_lock);
+	t4_os_atomic_add_tail(entry, &adapter->mbox_list, &adapter->mbox_lock);
 
 	delay_idx = 0;
@@ -126,8 +130,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 		 */
 		if (i > (2 * FW_CMD_MAX_TIMEOUT)) {
-			t4_os_atomic_list_del(&entry, &adapter->mbox_list,
+			t4_os_atomic_list_del(entry, &adapter->mbox_list,
 					      &adapter->mbox_lock);
 			ret = -EBUSY;
-			return ret;
+			goto out_free;
 		}
 
@@ -136,5 +140,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 		 * protocol.
 		 */
-		if (t4_os_list_first_entry(&adapter->mbox_list) == &entry)
+		if (t4_os_list_first_entry(&adapter->mbox_list) == entry)
 			break;
 
@@ -161,8 +165,8 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 
 	if (v != X_MBOWNER_PL) {
-		t4_os_atomic_list_del(&entry, &adapter->mbox_list,
+		t4_os_atomic_list_del(entry, &adapter->mbox_list,
 				      &adapter->mbox_lock);
 		ret = (v == X_MBOWNER_FW) ? -EBUSY : -ETIMEDOUT;
-		return ret;
+		goto out_free;
 	}
 
@@ -225,5 +229,5 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 			t4_write_reg(adapter, mbox_ctl,
 				     V_MBOWNER(X_MBOWNER_NONE));
-			t4_os_atomic_list_del(&entry, &adapter->mbox_list,
+			t4_os_atomic_list_del(entry, &adapter->mbox_list,
 					      &adapter->mbox_lock);
 
@@ -237,5 +241,6 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 				memcpy(rpl, cmd_rpl, size);
 			}
-			return -((int)G_FW_CMD_RETVAL(v));
+			ret = -((int)G_FW_CMD_RETVAL(v));
+			goto out_free;
 		}
 	}
@@ -247,6 +252,9 @@ int t4vf_wr_mbox_core(struct adapter *adapter,
 		*(const u8 *)cmd);
 	dev_err(adapter, "    Control = %#x\n", t4_read_reg(adapter, mbox_ctl));
-	t4_os_atomic_list_del(&entry, &adapter->mbox_list, &adapter->mbox_lock);
+	t4_os_atomic_list_del(entry, &adapter->mbox_list, &adapter->mbox_lock);
 	ret = -ETIMEDOUT;
+
+out_free:
+	t4_os_free(entry);
 	return ret;
 }
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-02-21 15:22:46.253703140 +0000
+++ 0074-net-cxgbe-fix-dangling-pointer-by-mailbox-access-rew.patch	2022-02-21 15:22:44.163704288 +0000
@@ -1 +1 @@
-From 19cafed99ac573662045424e559cee444c175b63 Mon Sep 17 00:00:00 2001
+From 699c30f8534c136926df9b6fb5b97ed06c1f34a0 Mon Sep 17 00:00:00 2001
@@ -8,0 +9,2 @@
+[ upstream commit 19cafed99ac573662045424e559cee444c175b63 ]
+
@@ -35 +36,0 @@
-Cc: stable at dpdk.org

More information about the stable mailing list