From: Julian Wiedmann <jwi@linux.ibm.com>
Subject: s390/qeth: remove unused buffer->aob pointer
Patch-mainline: v4.19-rc1
Git-commit: f67a43a73b543f686577507fe9ccdfae212b9924
References: FATE#326350, LTC#169511, bsc#1113509
Summary: qeth: performance improvements
Description: This adds recent functional and performance improvements for the
qeth network driver.
Primarily this brings Scatter-Gather support for HiperSockets,
reduced CPU consumption in the L3 IPv4 transmit path for OSA,
improved Promiscuous Mode performance due to IFF_UNICAST_FLT,
support for Scatter-Gather on z/VM virtual NICs, and
support for delayed GRO flushing.
For sanity & stability reasons, this effectively constitutes a
backport of the qeth device driver from 4.19 mainline.
Upstream-Description:
s390/qeth: remove unused buffer->aob pointer
Except for tracing, the pointer is not used.
At the same time, accessing it from qeth_qdio_output_handler() is racy:
whenever qeth_qdio_cq_handler() gets control, its call to
qeth_qdio_handle_aob() frees the AOB.
So the AOB pointer that qeth_qdio_output_handler() stores into 'buffer'
can go stale at any time, and trigger a use-after-free.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
drivers/s390/net/qeth_core.h | 1 -
drivers/s390/net/qeth_core_main.c | 7 -------
2 files changed, 8 deletions(-)
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -463,7 +463,6 @@ struct qeth_qdio_out_buffer {
struct sk_buff_head skb_list;
int is_header[QDIO_MAX_ELEMENTS_PER_BUFFER];
- struct qaob *aob;
struct qeth_qdio_out_q *q;
struct qeth_qdio_out_buffer *next_pending;
};
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -472,7 +472,6 @@ static void qeth_cleanup_handled_pending
if (forced_cleanup && (atomic_read(&(q->bufs[bidx]->state)) ==
QETH_QDIO_BUF_HANDLED_DELAYED)) {
/* for recovery situations */
- q->bufs[bidx]->aob = q->bufstates[bidx].aob;
qeth_init_qdio_out_buf(q, bidx);
QETH_CARD_TEXT(q->card, 2, "clprecov");
}
@@ -509,7 +508,6 @@ static void qeth_qdio_handle_aob(struct
}
qeth_notify_skbs(buffer->q, buffer, notification);
- buffer->aob = NULL;
/* Free dangling allocations. The attached skbs are handled by
* qeth_cleanup_handled_pending().
*/
@@ -2478,7 +2476,6 @@ static int qeth_init_qdio_out_buf(struct
skb_queue_head_init(&newbuf->skb_list);
lockdep_set_class(&newbuf->skb_list.lock, &qdio_out_skb_queue_key);
newbuf->q = q;
- newbuf->aob = NULL;
newbuf->next_pending = q->bufs[bidx];
atomic_set(&newbuf->state, QETH_QDIO_BUF_EMPTY);
q->bufs[bidx] = newbuf;
@@ -3734,11 +3731,7 @@ static void qeth_qdio_output_handler(str
qeth_notify_skbs(queue, buffer,
TX_NOTIFY_PENDING);
}
- buffer->aob = queue->bufstates[bidx].aob;
QETH_CARD_TEXT_(queue->card, 5, "pel%d", bidx);
- QETH_CARD_TEXT(queue->card, 5, "aob");
- QETH_CARD_TEXT_(queue->card, 5, "%lx",
- virt_to_phys(buffer->aob));
/* prepare the queue slot for re-use: */
qeth_scrub_qdio_buffer(buffer->buffer,