c1864624 | 29-Jul-2025 |
Pedro Falcato <pfalcato@suse.de> |
RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this:
static int siw_tcp_sendpages(struct socket *s,
RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this:
static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, size_t size) [...] /* Calculate the number of bytes we need to push, for this page * specifically */ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); /* If we can't splice it, then copy it in, as normal */ if (!sendpage_ok(page[i])) msg.msg_flags &= ~MSG_SPLICE_PAGES; /* Set the bvec pointing to the page, with len $bytes */ bvec_set_page(&bvec, page[i], bytes, offset); /* Set the iter to $size, aka the size of the whole sendpages (!!!) */ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); try_page_again: lock_sock(sk); /* Sendmsg with $size size (!!!) */ rv = tcp_sendmsg_locked(sk, &msg, size);
This means we've been sending oversized iov_iters and tcp_sendmsg calls for a while. This has a been a benign bug because sendpage_ok() always returned true. With the recent slab allocator changes being slowly introduced into next (that disallow sendpage on large kmalloc allocations), we have recently hit out-of-bounds crashes, due to slight differences in iov_iter behavior between the MSG_SPLICE_PAGES and "regular" copy paths:
(MSG_SPLICE_PAGES) skb_splice_from_iter iov_iter_extract_pages iov_iter_extract_bvec_pages uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere skb_splice_from_iter gets a "short" read
(!MSG_SPLICE_PAGES) skb_copy_to_page_nocache copy=iov_iter_count [...] copy_from_iter /* this doesn't help */ if (unlikely(iter->count < len)) len = iter->count; iterate_bvec ... and we run off the bvecs
Fix this by properly setting the iov_iter's byte count, plus sending the correct byte count to tcp_sendmsg_locked.
Link: https://patch.msgid.link/r/20250729120348.495568-1-pfalcato@suse.de Cc: stable@vger.kernel.org Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()") Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Pedro Falcato <pfalcato@suse.de> Acked-by: Bernard Metzler <bernard.metzler@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
show more ...
|
8536666a | 07-May-2025 |
Colin Ian King <colin.i.king@gmail.com> |
RDMA/siw: replace redundant ternary operator with just rv
The use of the ternary operator on rv is redundant, rv is either the initialized value of 0 or a negative error return code, so it can never
RDMA/siw: replace redundant ternary operator with just rv
The use of the ternary operator on rv is redundant, rv is either the initialized value of 0 or a negative error return code, so it can never be greater than zero, and hence the zero assignment in ternary operator is redundant. Just return rv instead.
Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Link: https://patch.msgid.link/20250507131834.253823-1-colin.i.king@gmail.com Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Leon Romanovsky <leon@kernel.org>
show more ...
|
b7a2768a | 03-Dec-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Call orq_get_current if possible
Use orq_get_current() in siw_orq_empty().
Link: https://lore.kernel.org/r/20231203092655.28102-5-guoqing.jiang@linux.dev Acked-by: Bernard Metzler <bmt@zu
RDMA/siw: Call orq_get_current if possible
Use orq_get_current() in siw_orq_empty().
Link: https://lore.kernel.org/r/20231203092655.28102-5-guoqing.jiang@linux.dev Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
show more ...
|
0b988c1b | 03-Dec-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Set qp_state in siw_query_qp
Run test_query_rc_qp against siw failed since siw didn't set qp_state accordingly. To address it, introduce siw_qp_state_to_ib_qp_state which convert SIW_QP_ST
RDMA/siw: Set qp_state in siw_query_qp
Run test_query_rc_qp against siw failed since siw didn't set qp_state accordingly. To address it, introduce siw_qp_state_to_ib_qp_state which convert SIW_QP_STATE_IDLE to IB_QPS_INIT which is similar as in cxgb4.
rdma-core# ./build/bin/run_tests.py --dev siw0 tests.test_qp.QPTest.test_query_rc_qp -v test_query_rc_qp (tests.test_qp.QPTest) Queries an RC QP after creation. Verifies that its properties are as ... FAIL
====================================================================== FAIL: test_query_rc_qp (tests.test_qp.QPTest) Queries an RC QP after creation. Verifies that its properties are as ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/gjiang/rdma-core/tests/test_qp.py", line 284, in test_query_rc_qp self.query_qp_common_test(e.IBV_QPT_RC) File "/home/gjiang/rdma-core/tests/test_qp.py", line 265, in query_qp_common_test self.verify_qp_attrs(caps, e.IBV_QPS_INIT, qp_init_attr, qp_attr) File "/home/gjiang/rdma-core/tests/test_qp.py", line 239, in verify_qp_attrs self.assertEqual(state, attr.qp_state) AssertionError: <ibv_qp_state.IBV_QPS_INIT: 1> != 0
---------------------------------------------------------------------- Ran 1 test in 0.057s
FAILED (failures=1)
Link: https://lore.kernel.org/r/20231203092655.28102-4-guoqing.jiang@linux.dev Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
show more ...
|
51ac45a6 | 03-Dec-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Reduce memory usage of struct siw_rx_stream
We can reduce the memory of the struct by move some of it's member.
Before,
/* size: 144, cachelines: 3, members: 17 */ /* sum members: 124,
RDMA/siw: Reduce memory usage of struct siw_rx_stream
We can reduce the memory of the struct by move some of it's member.
Before,
/* size: 144, cachelines: 3, members: 17 */ /* sum members: 124, holes: 3, sum holes: 12 */ /* sum bitfield members: 7 bits (0 bytes) */ /* padding: 7 */ /* bit_padding: 1 bits */
After
/* size: 128, cachelines: 2, members: 17 */ /* padding: 3 */ /* bit_padding: 1 bits */
Link: https://lore.kernel.org/r/20231203092655.28102-3-guoqing.jiang@linux.dev Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
show more ...
|
84de14ba | 03-Dec-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Move tx_cpu ahead
We can reduce one cacheline for the usage of struct siw_qp.
Before,
/* size: 1928, cachelines: 31, members: 38 */ /* sum members: 1920, holes: 2, sum holes: 8 */ /*
RDMA/siw: Move tx_cpu ahead
We can reduce one cacheline for the usage of struct siw_qp.
Before,
/* size: 1928, cachelines: 31, members: 38 */ /* sum members: 1920, holes: 2, sum holes: 8 */ /* paddings: 4, sum paddings: 13 */ /* forced alignments: 3 */
after
/* size: 1920, cachelines: 30, members: 38 */ /* paddings: 4, sum paddings: 13 */ /* forced alignments: 3 */
Link: https://lore.kernel.org/r/20231203092655.28102-2-guoqing.jiang@linux.dev Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
show more ...
|
79844118 | 13-Nov-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Update comments for siw_qp_sq_process
There is no siw_sq_work_handler in code, change it with siw_tx_thread since siw_run_sq -> siw_sq_resume -> siw_qp_sq_process.
Acked-by: Bernard Metzl
RDMA/siw: Update comments for siw_qp_sq_process
There is no siw_sq_work_handler in code, change it with siw_tx_thread since siw_run_sq -> siw_sq_resume -> siw_qp_sq_process.
Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Link: https://lore.kernel.org/r/20231113115726.12762-18-guoqing.jiang@linux.dev Signed-off-by: Leon Romanovsky <leon@kernel.org>
show more ...
|
d9a5b486 | 13-Nov-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Introduce siw_destroy_cep_sock
Add one helper to simplify code a bit.
Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202310091735.oG7bTvLR-lk
RDMA/siw: Introduce siw_destroy_cep_sock
Add one helper to simplify code a bit.
Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202310091735.oG7bTvLR-lkp@intel.com/` Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Link: https://lore.kernel.org/r/20231113115726.12762-17-guoqing.jiang@linux.dev Signed-off-by: Leon Romanovsky <leon@kernel.org>
show more ...
|
788bbf4c | 13-Nov-2023 |
Guoqing Jiang <guoqing.jiang@linux.dev> |
RDMA/siw: Only check attrs->cap.max_send_wr in siw_create_qp
We can just check max_send_wr here given both max_send_wr and max_recv_wr are defined as u32 type, and we also need to ensure num_sqe (de
RDMA/siw: Only check attrs->cap.max_send_wr in siw_create_qp
We can just check max_send_wr here given both max_send_wr and max_recv_wr are defined as u32 type, and we also need to ensure num_sqe (derived from max_send_wr) shouldn't be zero.
Acked-by: Bernard Metzler <bmt@zurich.ibm.com> Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev> Link: https://lore.kernel.org/r/20231113115726.12762-16-guoqing.jiang@linux.dev Signed-off-by: Leon Romanovsky <leon@kernel.org>
show more ...
|