xen-netback: Fix grant ref resolution in RX path

The original series for reintroducing grant mapping for netback had a patch [1] to handle receiving of packets from an another VIF. Grant copy on the receiving side needs the grant ref of the page to set up the op. The original patch assumed (wrongly) that the frags array haven't changed. In the case reported by Sander, the sending guest sent a packet where the linear buffer and the first frag were under PKT_PROT_LEN (=128) bytes. xenvif_tx_submit() then pulled up the linear area to 128 bytes, and ditched the first frag. The receiving side had an off-by-one problem when gathered the grant refs. This patch fixes that by checking whether the actual frag's page pointer is the same as the page in the original frag list. It can handle any kind of changes on the original frags array, like: - removing granted frags from the array at any point - adding local pages to the frags list anywhere - reordering the frags It's optimized to the most common case, when there is 1:1 relation between the frags and the list, plus works optimal when frags are removed from the end or the beginning. [1]: 3e2234: xen-netback: Handle foreign mapped pages on the guest RX path Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Zoltan Kiss <zoltan.kiss@citrix.com> 2014-05-15 06:08:34 -0400
committer: David S. Miller <davem@davemloft.net> 2014-05-15 23:32:36 -0400
commit: 583757446ba6850eff96cef6565d729266da9c5b (patch)
tree: ae8bd3395f1e7b106b7a79a6bd468bc252193c9e /drivers/net/xen-netback
parent: be7a010d6fa33dca9327ad8e91844278dfd1e712 (diff)
1 files changed, 80 insertions, 18 deletions
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index 76665405c5aa..64ab1d141f1c 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -104,7 +104,7 @@ static inline unsigned long idx_to_kaddr(struct xenvif *vif,
 /* Find the containing VIF's structure from a pointer in pending_tx_info array
 */
-static inline struct xenvif* ubuf_to_vif(struct ubuf_info *ubuf)
+static inline struct xenvif *ubuf_to_vif(const struct ubuf_info *ubuf)
 {
        u16 pending_idx = ubuf->desc;
        struct pending_tx_info *temp =
@@ -323,6 +323,35 @@ static void xenvif_gop_frag_copy(struct xenvif *vif, struct sk_buff *skb,
 }
 /*
+ * Find the grant ref for a given frag in a chain of struct ubuf_info's
+ * skb: the skb itself
+ * i: the frag's number
+ * ubuf: a pointer to an element in the chain. It should not be NULL
+ *
+ * Returns a pointer to the element in the chain where the page were found. If
+ * not found, returns NULL.
+ * See the definition of callback_struct in common.h for more details about
+ * the chain.
+ */
+static const struct ubuf_info *xenvif_find_gref(const struct sk_buff *const skb,
+                                                const int i,
+                                                const struct ubuf_info *ubuf)
+{
+        struct xenvif *foreign_vif = ubuf_to_vif(ubuf);
+        do {
+                u16 pending_idx = ubuf->desc;
+                if (skb_shinfo(skb)->frags[i].page.p ==
+                    foreign_vif->mmap_pages[pending_idx])
+                        break;
+                ubuf = (struct ubuf_info *) ubuf->ctx;
+        } while (ubuf);
+        return ubuf;
+}
+/*
 * Prepare an SKB to be transmitted to the frontend.
 *
 * This function is responsible for allocating grant operations, meta
@@ -346,9 +375,8 @@ static int xenvif_gop_skb(struct sk_buff *skb,
        int head = 1;
        int old_meta_prod;
        int gso_type;
-        struct ubuf_info *ubuf = skb_shinfo(skb)->destructor_arg;
+        const struct ubuf_info *ubuf = skb_shinfo(skb)->destructor_arg;
-        grant_ref_t foreign_grefs[MAX_SKB_FRAGS];
+        const struct ubuf_info *const head_ubuf = ubuf;
-        struct xenvif *foreign_vif = NULL;
        old_meta_prod = npo->meta_prod;
@@ -386,19 +414,6 @@ static int xenvif_gop_skb(struct sk_buff *skb,
        npo->copy_off = 0;
        npo->copy_gref = req->gref;
-        if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) &&
-                 (ubuf->callback == &xenvif_zerocopy_callback)) {
-                int i = 0;
-                foreign_vif = ubuf_to_vif(ubuf);
-                do {
-                        u16 pending_idx = ubuf->desc;
-                        foreign_grefs[i++] =
-                                foreign_vif->pending_tx_info[pending_idx].req.gref;
-                        ubuf = (struct ubuf_info *) ubuf->ctx;
-                } while (ubuf);
-        }
        data = skb->data;
        while (data < skb_tail_pointer(skb)) {
                unsigned int offset = offset_in_page(data);
@@ -415,13 +430,60 @@ static int xenvif_gop_skb(struct sk_buff *skb,
        }
        for (i = 0; i < nr_frags; i++) {
+                /* This variable also signals whether foreign_gref has a real
+                 * value or not.
+                 */
+                struct xenvif *foreign_vif = NULL;
+                grant_ref_t foreign_gref;
+                if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) &&
+                        (ubuf->callback == &xenvif_zerocopy_callback)) {
+                        const struct ubuf_info *const startpoint = ubuf;
+                        /* Ideally ubuf points to the chain element which
+                         * belongs to this frag. Or if frags were removed from
+                         * the beginning, then shortly before it.
+                         */
+                        ubuf = xenvif_find_gref(skb, i, ubuf);
+                        /* Try again from the beginning of the list, if we
+                         * haven't tried from there. This only makes sense in
+                         * the unlikely event of reordering the original frags.
+                         * For injected local pages it's an unnecessary second
+                         * run.
+                         */
+                        if (unlikely(!ubuf) && startpoint != head_ubuf)
+                                ubuf = xenvif_find_gref(skb, i, head_ubuf);
+                        if (likely(ubuf)) {
+                                u16 pending_idx = ubuf->desc;
+                                foreign_vif = ubuf_to_vif(ubuf);
+                                foreign_gref = foreign_vif->pending_tx_info[pending_idx].req.gref;
+                                /* Just a safety measure. If this was the last
+                                 * element on the list, the for loop will
+                                 * iterate again if a local page were added to
+                                 * the end. Using head_ubuf here prevents the
+                                 * second search on the chain. Or the original
+                                 * frags changed order, but that's less likely.
+                                 * In any way, ubuf shouldn't be NULL.
+                                 */
+                                ubuf = ubuf->ctx ?
+                                        (struct ubuf_info *) ubuf->ctx :
+                                        head_ubuf;
+                        } else
+                                /* This frag was a local page, added to the
+                                 * array after the skb left netback.
+                                 */
+                                ubuf = head_ubuf;
+                }
                xenvif_gop_frag_copy(vif, skb, npo,
                                     skb_frag_page(&skb_shinfo(skb)->frags[i]),
                                     skb_frag_size(&skb_shinfo(skb)->frags[i]),
                                     skb_shinfo(skb)->frags[i].page_offset,
                                     &head,
                                     foreign_vif,
-                                     foreign_grefs[i]);
+                                     foreign_vif ? foreign_gref : UINT_MAX);
        }
        return npo->meta_prod - old_meta_prod;
author	Zoltan Kiss <zoltan.kiss@citrix.com>	2014-05-15 06:08:34 -0400
committer	David S. Miller <davem@davemloft.net>	2014-05-15 23:32:36 -0400
commit	583757446ba6850eff96cef6565d729266da9c5b (patch)
tree	ae8bd3395f1e7b106b7a79a6bd468bc252193c9e /drivers/net/xen-netback
parent	be7a010d6fa33dca9327ad8e91844278dfd1e712 (diff)

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index 76665405c5aa..64ab1d141f1c 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c
@@ -104,7 +104,7 @@ static inline unsigned long idx_to_kaddr(struct xenvif *vif,
104		104
105	/* Find the containing VIF's structure from a pointer in pending_tx_info array	105	/* Find the containing VIF's structure from a pointer in pending_tx_info array
106	*/	106	*/
107	static inline struct xenvif* ubuf_to_vif(struct ubuf_info *ubuf)	107	static inline struct xenvif ubuf_to_vif(const struct ubuf_info ubuf)
108	{	108	{
109	u16 pending_idx = ubuf->desc;	109	u16 pending_idx = ubuf->desc;
110	struct pending_tx_info *temp =	110	struct pending_tx_info *temp =
@@ -323,6 +323,35 @@ static void xenvif_gop_frag_copy(struct xenvif vif, struct sk_buff skb,
323	}	323	}
324		324
325	/*	325	/*
		326	* Find the grant ref for a given frag in a chain of struct ubuf_info's
		327	* skb: the skb itself
		328	* i: the frag's number
		329	* ubuf: a pointer to an element in the chain. It should not be NULL
		330	*
		331	* Returns a pointer to the element in the chain where the page were found. If
		332	* not found, returns NULL.
		333	* See the definition of callback_struct in common.h for more details about
		334	* the chain.
		335	*/
		336	static const struct ubuf_info xenvif_find_gref(const struct sk_buff const skb,
		337	const int i,
		338	const struct ubuf_info *ubuf)
		339	{
		340	struct xenvif *foreign_vif = ubuf_to_vif(ubuf);
		341
		342	do {
		343	u16 pending_idx = ubuf->desc;
		344
		345	if (skb_shinfo(skb)->frags[i].page.p ==
		346	foreign_vif->mmap_pages[pending_idx])
		347	break;
		348	ubuf = (struct ubuf_info *) ubuf->ctx;
		349	} while (ubuf);
		350
		351	return ubuf;
		352	}
		353
		354	/*
326	* Prepare an SKB to be transmitted to the frontend.	355	* Prepare an SKB to be transmitted to the frontend.
327	*	356	*
328	* This function is responsible for allocating grant operations, meta	357	* This function is responsible for allocating grant operations, meta
@@ -346,9 +375,8 @@ static int xenvif_gop_skb(struct sk_buff *skb,
346	int head = 1;	375	int head = 1;
347	int old_meta_prod;	376	int old_meta_prod;
348	int gso_type;	377	int gso_type;
349	struct ubuf_info *ubuf = skb_shinfo(skb)->destructor_arg;	378	const struct ubuf_info *ubuf = skb_shinfo(skb)->destructor_arg;
350	grant_ref_t foreign_grefs[MAX_SKB_FRAGS];	379	const struct ubuf_info *const head_ubuf = ubuf;
351	struct xenvif *foreign_vif = NULL;
352		380
353	old_meta_prod = npo->meta_prod;	381	old_meta_prod = npo->meta_prod;
354		382
@@ -386,19 +414,6 @@ static int xenvif_gop_skb(struct sk_buff *skb,
386	npo->copy_off = 0;	414	npo->copy_off = 0;
387	npo->copy_gref = req->gref;	415	npo->copy_gref = req->gref;
388		416
389	if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) &&
390	(ubuf->callback == &xenvif_zerocopy_callback)) {
391	int i = 0;
392	foreign_vif = ubuf_to_vif(ubuf);
393
394	do {
395	u16 pending_idx = ubuf->desc;
396	foreign_grefs[i++] =
397	foreign_vif->pending_tx_info[pending_idx].req.gref;
398	ubuf = (struct ubuf_info *) ubuf->ctx;
399	} while (ubuf);
400	}
401
402	data = skb->data;	417	data = skb->data;
403	while (data < skb_tail_pointer(skb)) {	418	while (data < skb_tail_pointer(skb)) {
404	unsigned int offset = offset_in_page(data);	419	unsigned int offset = offset_in_page(data);
@@ -415,13 +430,60 @@ static int xenvif_gop_skb(struct sk_buff *skb,
415	}	430	}
416		431
417	for (i = 0; i < nr_frags; i++) {	432	for (i = 0; i < nr_frags; i++) {
		433	/* This variable also signals whether foreign_gref has a real
		434	* value or not.
		435	*/
		436	struct xenvif *foreign_vif = NULL;
		437	grant_ref_t foreign_gref;
		438
		439	if ((skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) &&
		440	(ubuf->callback == &xenvif_zerocopy_callback)) {
		441	const struct ubuf_info *const startpoint = ubuf;
		442
		443	/* Ideally ubuf points to the chain element which
		444	* belongs to this frag. Or if frags were removed from
		445	* the beginning, then shortly before it.
		446	*/
		447	ubuf = xenvif_find_gref(skb, i, ubuf);
		448
		449	/* Try again from the beginning of the list, if we
		450	* haven't tried from there. This only makes sense in
		451	* the unlikely event of reordering the original frags.
		452	* For injected local pages it's an unnecessary second
		453	* run.
		454	*/
		455	if (unlikely(!ubuf) && startpoint != head_ubuf)
		456	ubuf = xenvif_find_gref(skb, i, head_ubuf);
		457
		458	if (likely(ubuf)) {
		459	u16 pending_idx = ubuf->desc;
		460
		461	foreign_vif = ubuf_to_vif(ubuf);
		462	foreign_gref = foreign_vif->pending_tx_info[pending_idx].req.gref;
		463	/* Just a safety measure. If this was the last
		464	* element on the list, the for loop will
		465	* iterate again if a local page were added to
		466	* the end. Using head_ubuf here prevents the
		467	* second search on the chain. Or the original
		468	* frags changed order, but that's less likely.
		469	* In any way, ubuf shouldn't be NULL.
		470	*/
		471	ubuf = ubuf->ctx ?
		472	(struct ubuf_info *) ubuf->ctx :
		473	head_ubuf;
		474	} else
		475	/* This frag was a local page, added to the
		476	* array after the skb left netback.
		477	*/
		478	ubuf = head_ubuf;
		479	}
418	xenvif_gop_frag_copy(vif, skb, npo,	480	xenvif_gop_frag_copy(vif, skb, npo,
419	skb_frag_page(&skb_shinfo(skb)->frags[i]),	481	skb_frag_page(&skb_shinfo(skb)->frags[i]),
420	skb_frag_size(&skb_shinfo(skb)->frags[i]),	482	skb_frag_size(&skb_shinfo(skb)->frags[i]),
421	skb_shinfo(skb)->frags[i].page_offset,	483	skb_shinfo(skb)->frags[i].page_offset,
422	&head,	484	&head,
423	foreign_vif,	485	foreign_vif,
424	foreign_grefs[i]);	486	foreign_vif ? foreign_gref : UINT_MAX);
425	}	487	}
426		488
427	return npo->meta_prod - old_meta_prod;	489	return npo->meta_prod - old_meta_prod;