[PATCH 3.16 017/294] net: bcmgenet: Free skb after last Tx frag

From: Ben Hutchings
Date: Mon Nov 06 2017 - 20:10:44 EST

Next message: Ben Hutchings: "[PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc"
Previous message: Ben Hutchings: "[PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit"
In reply to: Ben Hutchings: "[PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit"
Next in thread: Ben Hutchings: "[PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.16.50-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@xxxxxxxxx>

commit f48bed16a756f5bc0244acd581f61968f7d7c2a4 upstream.

Since the skb is attached to the first control block of a fragmented
skb it is possible that the skb could be freed when reclaiming that
control block before all fragments of the skb have been consumed by
the hardware and unmapped.

This commit introduces first_cb and last_cb pointers to the skb
control block used by the driver to keep track of which transmit
control blocks within a transmit ring are the first and last ones
associated with the skb.

It then splits the bcmgenet_free_cb() function into transmit
(bcmgenet_free_tx_cb) and receive (bcmgenet_free_rx_cb) versions
that can handle the unmapping of dma mapped memory and cleaning up
the corresponding control block structure so that the skb is only
freed after the last associated transmit control block is reclaimed.

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Doug Berger <opendmb@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 142 ++++++++++++++-----------
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 +
2 files changed, 84 insertions(+), 60 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -917,14 +917,6 @@ static struct enet_cb *bcmgenet_put_txcb
return tx_cb_ptr;
}

-/* Simple helper to free a control block's resources */
-static void bcmgenet_free_cb(struct enet_cb *cb)
-{
- dev_kfree_skb_any(cb->skb);
- cb->skb = NULL;
- dma_unmap_addr_set(cb, dma_addr, 0);
-}
-
static inline void bcmgenet_tx_ring16_int_disable(struct bcmgenet_priv *priv,
struct bcmgenet_tx_ring *ring)
{
@@ -957,19 +949,73 @@ static inline void bcmgenet_tx_ring_int_
priv->int1_mask |= (1 << ring->index);
}

+/* Simple helper to free a transmit control block's resources
+ * Returns an skb when the last transmit control block associated with the
+ * skb is freed. The skb should be freed by the caller if necessary.
+ */
+static struct sk_buff *bcmgenet_free_tx_cb(struct device *dev,
+ struct enet_cb *cb)
+{
+ struct sk_buff *skb;
+
+ skb = cb->skb;
+
+ if (skb) {
+ cb->skb = NULL;
+ if (cb == GENET_CB(skb)->first_cb)
+ dma_unmap_single(dev, dma_unmap_addr(cb, dma_addr),
+ dma_unmap_len(cb, dma_len),
+ DMA_TO_DEVICE);
+ else
+ dma_unmap_page(dev, dma_unmap_addr(cb, dma_addr),
+ dma_unmap_len(cb, dma_len),
+ DMA_TO_DEVICE);
+ dma_unmap_addr_set(cb, dma_addr, 0);
+
+ if (cb == GENET_CB(skb)->last_cb)
+ return skb;
+
+ } else if (dma_unmap_addr(cb, dma_addr)) {
+ dma_unmap_page(dev,
+ dma_unmap_addr(cb, dma_addr),
+ dma_unmap_len(cb, dma_len),
+ DMA_TO_DEVICE);
+ dma_unmap_addr_set(cb, dma_addr, 0);
+ }
+
+ return 0;
+}
+
+/* Simple helper to free a receive control block's resources */
+static struct sk_buff *bcmgenet_free_rx_cb(struct device *dev,
+ struct enet_cb *cb)
+{
+ struct sk_buff *skb;
+
+ skb = cb->skb;
+ cb->skb = NULL;
+
+ if (dma_unmap_addr(cb, dma_addr)) {
+ dma_unmap_single(dev, dma_unmap_addr(cb, dma_addr),
+ dma_unmap_len(cb, dma_len), DMA_FROM_DEVICE);
+ dma_unmap_addr_set(cb, dma_addr, 0);
+ }
+
+ return skb;
+}
+
/* Unlocked version of the reclaim routine */
static void __bcmgenet_tx_reclaim(struct net_device *dev,
struct bcmgenet_tx_ring *ring)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- struct device *kdev = &priv->pdev->dev;
- struct enet_cb *tx_cb_ptr;
struct netdev_queue *txq;
- unsigned int pkts_compl = 0;
+ unsigned int txbds_processed = 0;
unsigned int bytes_compl = 0;
- unsigned int c_index;
+ unsigned int pkts_compl = 0;
unsigned int txbds_ready;
- unsigned int txbds_processed = 0;
+ unsigned int c_index;
+ struct sk_buff *skb;

/* Compute how many buffers are transmited since last xmit call */
c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX);
@@ -986,21 +1032,12 @@ static void __bcmgenet_tx_reclaim(struct

/* Reclaim transmitted buffers */
while (txbds_processed < txbds_ready) {
- tx_cb_ptr = &priv->tx_cbs[ring->clean_ptr];
- if (tx_cb_ptr->skb) {
+ skb = bcmgenet_free_tx_cb(&priv->pdev->dev,
+ &priv->tx_cbs[ring->clean_ptr]);
+ if (skb) {
pkts_compl++;
- bytes_compl += GENET_CB(tx_cb_ptr->skb)->bytes_sent;
- dma_unmap_single(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
- bcmgenet_free_cb(tx_cb_ptr);
- } else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) {
- dma_unmap_page(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
- dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
+ bytes_compl += GENET_CB(skb)->bytes_sent;
+ dev_kfree_skb_any(skb);
}

txbds_processed++;
@@ -1178,13 +1215,12 @@ static netdev_tx_t bcmgenet_xmit(struct

if (!i) {
/* Transmit single SKB or head of fragment list */
- tx_cb_ptr->skb = skb;
+ GENET_CB(skb)->first_cb = tx_cb_ptr;
size = skb_headlen(skb);
mapping = dma_map_single(kdev, skb->data, size,
DMA_TO_DEVICE);
} else {
/* xmit fragment */
- tx_cb_ptr->skb = NULL;
frag = &skb_shinfo(skb)->frags[i - 1];
size = skb_frag_size(frag);
mapping = skb_frag_dma_map(kdev, frag, 0, size,
@@ -1200,6 +1236,8 @@ static netdev_tx_t bcmgenet_xmit(struct
dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
dma_unmap_len_set(tx_cb_ptr, dma_len, size);

+ tx_cb_ptr->skb = skb;
+
len_stat = (size << DMA_BUFLENGTH_SHIFT) |
(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);

@@ -1214,6 +1252,7 @@ static netdev_tx_t bcmgenet_xmit(struct
dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, len_stat);
}

+ GENET_CB(skb)->last_cb = tx_cb_ptr;
skb_tx_timestamp(skb);

/* Decrement total BD count and advance our write pointer */
@@ -1241,18 +1280,7 @@ out_unmap_frags:
/* Unmap successfully mapped control blocks */
while (i-- > 0) {
tx_cb_ptr = bcmgenet_put_txcb(priv, ring);
- if (tx_cb_ptr->skb)
- dma_unmap_single(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
- else
- dma_unmap_page(kdev,
- dma_unmap_addr(tx_cb_ptr, dma_addr),
- dma_unmap_len(tx_cb_ptr, dma_len),
- DMA_TO_DEVICE);
- dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
- tx_cb_ptr->skb = NULL;
+ bcmgenet_free_tx_cb(kdev, tx_cb_ptr);
}

dev_kfree_skb(skb);
@@ -1287,14 +1315,12 @@ static struct sk_buff *bcmgenet_rx_refil
}

/* Grab the current Rx skb from the ring and DMA-unmap it */
- rx_skb = cb->skb;
- if (likely(rx_skb))
- dma_unmap_single(kdev, dma_unmap_addr(cb, dma_addr),
- priv->rx_buf_len, DMA_FROM_DEVICE);
+ rx_skb = bcmgenet_free_rx_cb(kdev, cb);

/* Put the new Rx skb on the ring */
cb->skb = skb;
dma_unmap_addr_set(cb, dma_addr, mapping);
+ dma_unmap_len_set(cb, dma_len, priv->rx_buf_len);
/* assign packet, prepare descriptor, and advance pointer */

dmadesc_set_addr(priv, priv->rx_bd_assign_ptr, mapping);
@@ -1470,22 +1496,16 @@ static int bcmgenet_alloc_rx_buffers(str

static void bcmgenet_free_rx_buffers(struct bcmgenet_priv *priv)
{
- struct device *kdev = &priv->pdev->dev;
+ struct sk_buff *skb;
struct enet_cb *cb;
int i;

for (i = 0; i < priv->num_rx_bds; i++) {
cb = &priv->rx_cbs[i];

- if (dma_unmap_addr(cb, dma_addr)) {
- dma_unmap_single(kdev,
- dma_unmap_addr(cb, dma_addr),
- priv->rx_buf_len, DMA_FROM_DEVICE);
- dma_unmap_addr_set(cb, dma_addr, 0);
- }
-
- if (cb->skb)
- bcmgenet_free_cb(cb);
+ skb = bcmgenet_free_rx_cb(&priv->pdev->dev, cb);
+ if (skb)
+ dev_kfree_skb_any(skb);
}
}

@@ -1762,6 +1782,8 @@ static void bcmgenet_init_multiq(struct

static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
{
+ struct sk_buff *skb;
+ struct enet_cb *cb;
int i;

/* disable DMA */
@@ -1769,10 +1791,10 @@ static void bcmgenet_fini_dma(struct bcm
bcmgenet_tdma_writel(priv, 0, DMA_CTRL);

for (i = 0; i < priv->num_tx_bds; i++) {
- if (priv->tx_cbs[i].skb != NULL) {
- dev_kfree_skb(priv->tx_cbs[i].skb);
- priv->tx_cbs[i].skb = NULL;
- }
+ cb = priv->tx_cbs + i;
+ skb = bcmgenet_free_tx_cb(&priv->pdev->dev, cb);
+ if (skb)
+ dev_kfree_skb(skb);
}

bcmgenet_free_rx_buffers(priv);
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -505,6 +505,8 @@ struct bcmgenet_hw_params {
};

struct bcmgenet_skb_cb {
+ struct enet_cb *first_cb; /* First control block of SKB */
+ struct enet_cb *last_cb; /* Last control block of SKB */
unsigned int bytes_sent; /* bytes on the wire (no TSB) */
};

Next message: Ben Hutchings: "[PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc"
Previous message: Ben Hutchings: "[PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit"
In reply to: Ben Hutchings: "[PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit"
Next in thread: Ben Hutchings: "[PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]