From: Björn Töpel bjorn.topel@intel.com
[ Upstream commit 64050b5b8706d304ba647591b06e1eddc55e8bd9 ]
On the Rx side, the next_to_use index points to the next item in the HW ring to be refilled/allocated, and next_to_clean points to the next item to potentially be processed.
When the HW Rx ring is fully refilled, i.e. no packets has been processed, the next_to_use will be next_to_clean - 1. When the ring is fully processed next_to_clean will be equal to next_to_use. The latter case is where a bug is triggered.
If the next_to_use bits are not cleared, and the "fully processed" state is entered, a stale descriptor can be processed.
The skb-path correctly clear the status bit for the next_to_use descriptor, but the AF_XDP zero-copy path did not do that.
This change adds the status bits clearing of the next_to_use descriptor.
Fixes: 3b4f0b66c2b3 ("i40e, xsk: Migrate to new MEM_TYPE_XSK_BUFF_POOL") Signed-off-by: Björn Töpel bjorn.topel@intel.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/intel/i40e/i40e_xsk.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c index 567fd67e900ef..e402c62eb3137 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c +++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c @@ -219,8 +219,11 @@ bool i40e_alloc_rx_buffers_zc(struct i40e_ring *rx_ring, u16 count) } while (count);
no_buffers: - if (rx_ring->next_to_use != ntu) + if (rx_ring->next_to_use != ntu) { + /* clear the status bits for the next_to_use descriptor */ + rx_desc->wb.qword1.status_error_len = 0; i40e_release_rx_desc(rx_ring, ntu); + }
return ok; }