| Message ID | 20221207013114.1748936-1-shaozhengchao@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() | expand |
Zhengchao Shao <shaozhengchao@huawei.com> wrote: > After the DMA buffer is mapped to a physical address, address is stored > in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in > brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr > and later unmap the DMA buffer. But when count is always equal to > pktids->array_size, physaddr isn't stored in pktids and the DMA buffer > will not be unmapped anyway. > > Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Can someone review this?
On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: > Zhengchao Shao <shaozhengchao@huawei.com> wrote: > > > After the DMA buffer is mapped to a physical address, address is stored > > in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in > > brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr > > and later unmap the DMA buffer. But when count is always equal to > > pktids->array_size, physaddr isn't stored in pktids and the DMA buffer > > will not be unmapped anyway. > > > > Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") > > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> > > Can someone review this? After looking at the code, that skb is mapped but not inserted into the ringbuffer in this condition. The function returns with an error and the caller will free that skb (or add to a list for later). Either way the skb remains mapped which is wrong. The unmap here is the right thing to do. Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Sebastian
Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes: > On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: >> Zhengchao Shao <shaozhengchao@huawei.com> wrote: >> >> > After the DMA buffer is mapped to a physical address, address is stored >> > in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in >> > brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr >> > and later unmap the DMA buffer. But when count is always equal to >> > pktids->array_size, physaddr isn't stored in pktids and the DMA buffer >> > will not be unmapped anyway. >> > >> > Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") >> > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> >> >> Can someone review this? > > After looking at the code, that skb is mapped but not inserted into the > ringbuffer in this condition. The function returns with an error and the > caller will free that skb (or add to a list for later). Either way the > skb remains mapped which is wrong. The unmap here is the right thing to > do. > > Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Thanks for the review, very much appreciated.
On 2022/12/22 16:46, Kalle Valo wrote: > Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes: > >> On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: >>> Zhengchao Shao <shaozhengchao@huawei.com> wrote: >>> >>>> After the DMA buffer is mapped to a physical address, address is stored >>>> in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in >>>> brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr >>>> and later unmap the DMA buffer. But when count is always equal to >>>> pktids->array_size, physaddr isn't stored in pktids and the DMA buffer >>>> will not be unmapped anyway. >>>> >>>> Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") >>>> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> >>> >>> Can someone review this? >> >> After looking at the code, that skb is mapped but not inserted into the >> ringbuffer in this condition. The function returns with an error and the >> caller will free that skb (or add to a list for later). Either way the >> skb remains mapped which is wrong. The unmap here is the right thing to >> do. >> >> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> > > Thanks for the review, very much appreciated. > Thank you very much. Zhengchao Shao
On 12/22/2022 9:52 AM, shaozhengchao wrote: > > > On 2022/12/22 16:46, Kalle Valo wrote: >> Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes: >> >>> On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: >>>> Zhengchao Shao <shaozhengchao@huawei.com> wrote: >>>> >>>>> After the DMA buffer is mapped to a physical address, address is >>>>> stored >>>>> in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in >>>>> brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain >>>>> physaddr >>>>> and later unmap the DMA buffer. But when count is always equal to >>>>> pktids->array_size, physaddr isn't stored in pktids and the DMA buffer >>>>> will not be unmapped anyway. >>>>> >>>>> Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") >>>>> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> >>>> >>>> Can someone review this? >>> >>> After looking at the code, that skb is mapped but not inserted into the >>> ringbuffer in this condition. The function returns with an error and the >>> caller will free that skb (or add to a list for later). Either way the >>> skb remains mapped which is wrong. The unmap here is the right thing to >>> do. >>> >>> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> >> >> Thanks for the review, very much appreciated. >> > > Thank you very much. Good catch. Has this path been observed or is this found by inspecting the code? Just curious. Regards, Arend
-----Original Message----- From: Arend van Spriel [mailto:arend.vanspriel@broadcom.com] Sent: Thursday, December 22, 2022 7:00 PM To: shaozhengchao <shaozhengchao@huawei.com>; Kalle Valo <kvalo@kernel.org>; Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: netdev@vger.kernel.org; linux-wireless@vger.kernel.org; brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; wright.feng@cypress.com; chi-hsien.lin@cypress.com; a.fatoum@pengutronix.de; alsi@bang-olufsen.dk; pieterpg@broadcom.com; dekim@broadcom.com; linville@tuxdriver.com; weiyongjun (A) <weiyongjun1@huawei.com>; yuehaibing <yuehaibing@huawei.com> Subject: Re: [PATCH] wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() On 12/22/2022 9:52 AM, shaozhengchao wrote: > > > On 2022/12/22 16:46, Kalle Valo wrote: >> Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes: >> >>> On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: >>>> Zhengchao Shao <shaozhengchao@huawei.com> wrote: >>>> >>>>> After the DMA buffer is mapped to a physical address, address is >>>>> stored >>>>> in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in >>>>> brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain >>>>> physaddr >>>>> and later unmap the DMA buffer. But when count is always equal to >>>>> pktids->array_size, physaddr isn't stored in pktids and the DMA buffer >>>>> will not be unmapped anyway. >>>>> >>>>> Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") >>>>> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> >>>> >>>> Can someone review this? >>> >>> After looking at the code, that skb is mapped but not inserted into the >>> ringbuffer in this condition. The function returns with an error and the >>> caller will free that skb (or add to a list for later). Either way the >>> skb remains mapped which is wrong. The unmap here is the right thing to >>> do. >>> >>> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> >> >> Thanks for the review, very much appreciated. >> > > Thank you very much. >Good catch. Has this path been observed or is this found by inspecting >the code? Just curious. >Regards, >Arend Hi Arend: I review code and find the bug. Zhengchao Shao
On 12/22/2022 12:35 PM, shaozhengchao wrote: > > > -----Original Message----- > From: Arend van Spriel [mailto:arend.vanspriel@broadcom.com] > Sent: Thursday, December 22, 2022 7:00 PM > To: shaozhengchao <shaozhengchao@huawei.com>; Kalle Valo <kvalo@kernel.org>; Sebastian Andrzej Siewior <bigeasy@linutronix.de> > Cc: netdev@vger.kernel.org; linux-wireless@vger.kernel.org; brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; wright.feng@cypress.com; chi-hsien.lin@cypress.com; a.fatoum@pengutronix.de; alsi@bang-olufsen.dk; pieterpg@broadcom.com; dekim@broadcom.com; linville@tuxdriver.com; weiyongjun (A) <weiyongjun1@huawei.com>; yuehaibing <yuehaibing@huawei.com> > Subject: Re: [PATCH] wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() > > On 12/22/2022 9:52 AM, shaozhengchao wrote: >> >> >> On 2022/12/22 16:46, Kalle Valo wrote: >>> Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes: >>> >>>> On 2022-12-21 18:33:06 [+0000], Kalle Valo wrote: >>>>> Zhengchao Shao <shaozhengchao@huawei.com> wrote: >>>>> >>>>>> After the DMA buffer is mapped to a physical address, address is >>>>>> stored >>>>>> in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in >>>>>> brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain >>>>>> physaddr >>>>>> and later unmap the DMA buffer. But when count is always equal to >>>>>> pktids->array_size, physaddr isn't stored in pktids and the DMA buffer >>>>>> will not be unmapped anyway. >>>>>> >>>>>> Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") >>>>>> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> >>>>> >>>>> Can someone review this? >>>> >>>> After looking at the code, that skb is mapped but not inserted into the >>>> ringbuffer in this condition. The function returns with an error and the >>>> caller will free that skb (or add to a list for later). Either way the >>>> skb remains mapped which is wrong. The unmap here is the right thing to >>>> do. >>>> >>>> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> >>> >>> Thanks for the review, very much appreciated. >>> >> >> Thank you very much. > >> Good catch. Has this path been observed or is this found by inspecting >> the code? Just curious. > >> Regards, >> Arend > > Hi Arend: > I review code and find the bug. Much appreciated. Regards, Arend > Zhengchao Shao
Zhengchao Shao <shaozhengchao@huawei.com> wrote: > After the DMA buffer is mapped to a physical address, address is stored > in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in > brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr > and later unmap the DMA buffer. But when count is always equal to > pktids->array_size, physaddr isn't stored in pktids and the DMA buffer > will not be unmapped anyway. > > Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> > Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Patch applied to wireless-next.git, thanks. b9f420032f2b wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c index cec53f934940..45fbcbdc7d9e 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c @@ -347,8 +347,11 @@ brcmf_msgbuf_alloc_pktid(struct device *dev, count++; } while (count < pktids->array_size); - if (count == pktids->array_size) + if (count == pktids->array_size) { + dma_unmap_single(dev, *physaddr, skb->len - data_offset, + pktids->direction); return -ENOMEM; + } array[*idx].data_offset = data_offset; array[*idx].physaddr = *physaddr;
After the DMA buffer is mapped to a physical address, address is stored in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr and later unmap the DMA buffer. But when count is always equal to pktids->array_size, physaddr isn't stored in pktids and the DMA buffer will not be unmapped anyway. Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)