Re: [PATCH net 1/3] bpf, mlx5: fix mlx5e_create_rq taking reference on prog
On 11/14/2016 02:43 AM, Daniel Borkmann wrote:
> In mlx5e_create_rq(), when creating a new queue, we call bpf_prog_add() but
> without checking the return value. bpf_prog_add() can fail, so we really
Didn't know this, thanks for noticing, I wonder why taking a reference for an
object would fail ?
especially when someone is requesting from the driver to take a reference to it
ndo_xdp_set ?! sounds like a bad design.
Anyway I will check that later.
> must check it. Take the reference right when we assign it to the rq from
> priv->xdp_prog, and just drop the reference on error path. Destruction in
> mlx5e_destroy_rq() looks good, though.
>
> Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support")
> Signed-off-by: Daniel Borkmann
> ---
> drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 14 +++---
> kernel/bpf/syscall.c | 1 +
> 2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> index 84e8b25..2b83667 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> @@ -489,7 +489,16 @@ static int mlx5e_create_rq(struct mlx5e_channel *c,
> rq->channel = c;
> rq->ix = c->ix;
> rq->priv= c->priv;
> +
> rq->xdp_prog = priv->xdp_prog;
Why keeping this assignment ? just test priv->xdp_prog.
> + if (rq->xdp_prog) {
> + rq->xdp_prog = bpf_prog_inc(rq->xdp_prog);
> + if (IS_ERR(rq->xdp_prog)) {
> + err = PTR_ERR(rq->xdp_prog);
> + rq->xdp_prog = NULL;
> + goto err_rq_wq_destroy;
> + }
> + }
Try this, simpler and less indentations:
rq->xdp_prog = priv->xdp_prog ? bpf_prog_inc(priv->xdp_prog) : NULL;
if (IS_ERR(rq->xdp_prog)) {
err = PTR_ERR(rq->xdp_prog);
rq->xdp_prog = NULL;
goto err_rq_wq_destroy;
}
Saeed.
Re: [PATCH net 1/3] bpf, mlx5: fix mlx5e_create_rq taking reference on prog
Hi Saeed,
On 11/14/2016 07:15 PM, Saeed Mahameed wrote:
On 11/14/2016 02:43 AM, Daniel Borkmann wrote:
In mlx5e_create_rq(), when creating a new queue, we call bpf_prog_add() but
without checking the return value. bpf_prog_add() can fail, so we really
Didn't know this, thanks for noticing, I wonder why taking a reference for an
object would fail ?
especially when someone is requesting from the driver to take a reference to it
ndo_xdp_set ?! sounds like a bad design.
Anyway I will check that later.
See 92117d8443bc ("bpf: fix refcnt overflow").
must check it. Take the reference right when we assign it to the rq from
priv->xdp_prog, and just drop the reference on error path. Destruction in
mlx5e_destroy_rq() looks good, though.
Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support")
Signed-off-by: Daniel Borkmann
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 14 +++---
kernel/bpf/syscall.c | 1 +
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 84e8b25..2b83667 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -489,7 +489,16 @@ static int mlx5e_create_rq(struct mlx5e_channel *c,
rq->channel = c;
rq->ix = c->ix;
rq->priv= c->priv;
+
rq->xdp_prog = priv->xdp_prog;
Why keeping this assignment ? just test priv->xdp_prog.
+ if (rq->xdp_prog) {
+ rq->xdp_prog = bpf_prog_inc(rq->xdp_prog);
+ if (IS_ERR(rq->xdp_prog)) {
+ err = PTR_ERR(rq->xdp_prog);
+ rq->xdp_prog = NULL;
+ goto err_rq_wq_destroy;
+ }
+ }
Try this, simpler and less indentations:
rq->xdp_prog = priv->xdp_prog ? bpf_prog_inc(priv->xdp_prog) : NULL;
if (IS_ERR(rq->xdp_prog)) {
err = PTR_ERR(rq->xdp_prog);
rq->xdp_prog = NULL;
goto err_rq_wq_destroy;
}
Sure, I don't mind. Will do.
Thanks,
Daniel
[PATCH net 1/3] bpf, mlx5: fix mlx5e_create_rq taking reference on prog
In mlx5e_create_rq(), when creating a new queue, we call bpf_prog_add() but
without checking the return value. bpf_prog_add() can fail, so we really
must check it. Take the reference right when we assign it to the rq from
priv->xdp_prog, and just drop the reference on error path. Destruction in
mlx5e_destroy_rq() looks good, though.
Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support")
Signed-off-by: Daniel Borkmann
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 14 +++---
kernel/bpf/syscall.c | 1 +
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 84e8b25..2b83667 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -489,7 +489,16 @@ static int mlx5e_create_rq(struct mlx5e_channel *c,
rq->channel = c;
rq->ix = c->ix;
rq->priv= c->priv;
+
rq->xdp_prog = priv->xdp_prog;
+ if (rq->xdp_prog) {
+ rq->xdp_prog = bpf_prog_inc(rq->xdp_prog);
+ if (IS_ERR(rq->xdp_prog)) {
+ err = PTR_ERR(rq->xdp_prog);
+ rq->xdp_prog = NULL;
+ goto err_rq_wq_destroy;
+ }
+ }
rq->buff.map_dir = DMA_FROM_DEVICE;
if (rq->xdp_prog)
@@ -566,12 +575,11 @@ static int mlx5e_create_rq(struct mlx5e_channel *c,
rq->page_cache.head = 0;
rq->page_cache.tail = 0;
- if (rq->xdp_prog)
- bpf_prog_add(rq->xdp_prog, 1);
-
return 0;
err_rq_wq_destroy:
+ if (rq->xdp_prog)
+ bpf_prog_put(rq->xdp_prog);
mlx5_wq_destroy(>wq_ctrl);
return err;
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 237f3d6..751e806 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -686,6 +686,7 @@ struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
{
return bpf_prog_add(prog, 1);
}
+EXPORT_SYMBOL_GPL(bpf_prog_inc);
static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *type)
{
--
1.9.3
