Re: [PATCH net-next V2 4/5] net/mlx5e: XDP, Use a single linear page per rq
From: Dragos Tatulea
Date: Sun Apr 05 2026 - 02:08:45 EST
On Fri, Apr 03, 2026 at 12:09:26PM +0300, Tariq Toukan wrote:
> From: Dragos Tatulea <dtatulea@xxxxxxxxxx>
>
> Currently in striding rq there is one mlx5e_frag_page member per WQE for
> the linear page. This linear page is used only in XDP multi-buffer mode.
> This is wasteful because only one linear page is needed per rq: the page
> gets refreshed on every packet, regardless of WQE. Furthermore, it is
> not needed in other modes (non-XDP, XDP single-buffer).
>
> This change moves the linear page into its own structure (struct
> mlx5_mpw_linear_info) and allocates it only when necessary.
>
> A special structure is created because an upcoming patch will extend
> this structure to support fragmentation of the linear page.
>
> This patch has no functional changes.
>
> Signed-off-by: Dragos Tatulea <dtatulea@xxxxxxxxxx>
> Reviewed-by: Carolina Jubran <cjubran@xxxxxxxxxx>
> Signed-off-by: Tariq Toukan <tariqt@xxxxxxxxxx>
> ---
> drivers/net/ethernet/mellanox/mlx5/core/en.h | 6 ++-
>
> [...]
> +static int mlx5e_rq_alloc_mpwqe_linear_info(struct mlx5e_rq *rq, int node,
> + struct mlx5e_params *params,
> + struct mlx5e_rq_opt_param *rqo,
> + u32 *pool_size)
> +{
> + struct mlx5_core_dev *mdev = rq->mdev;
> + struct mlx5e_mpw_linear_info *li;
> +
> + if (mlx5e_rx_mpwqe_is_linear_skb(mdev, params, rqo) ||
> + !params->xdp_prog)
> + return 0;
> +
sashiko says:
"""
Could mlx5e_rx_mpwqe_is_linear_skb() return true here (meaning li is not
allocated), but later return false when the rx handlers are being set up?
When mlx5e_open_rq() sets up handlers it passes NULL for rqo to
mlx5e_rx_mpwqe_is_linear_skb(). Inside that function, without rqo, the
page_shift calculation falls back to the system PAGE_SHIFT rather than
rqo->qcfg->rx_page_size. A smaller page_shift could cause the stride check
to fail, returning false.
If the allocation evaluates to true (skipping allocation) but the handler setup
evaluates to false, the nonlinear handler mlx5e_skb_from_cqe_mpwrq_nonlinear
will be used for the queue.
"""
This is by design. HW-GRO is the mode that Sashiko is talking about. In
that mode linear_info is not used hence not allocated.
> [...]
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
> @@ -1869,6 +1869,7 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w
> struct mlx5e_frag_page *frag_page = &wi->alloc_units.frag_pages[page_idx];
> u16 headlen = min_t(u16, MLX5E_RX_MAX_HEAD, cqe_bcnt);
> struct mlx5e_frag_page *head_page = frag_page;
> + struct mlx5e_frag_page *linear_page = NULL;
> struct mlx5e_xdp_buff *mxbuf = &rq->mxbuf;
> u32 page_size = BIT(rq->mpwqe.page_shift);
> u32 frag_offset = head_offset;
> @@ -1897,13 +1898,15 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w
> if (prog) {
> /* area for bpf_xdp_[store|load]_bytes */
> net_prefetchw(netmem_address(frag_page->netmem) + frag_offset);
> +
> + linear_page = &rq->mpwqe.linear_info->frag_page;
"""
If mlx5e_skb_from_cqe_mpwrq_nonlinear() is invoked but linear_info was skipped
during allocation, does this result in a NULL pointer dereference when accessing
linear_info->frag_page?
"""
Connected to the statement above. linear_page will always be allocated
for this handler.
[1] https://sashiko.dev/#/patchset/20260403090927.139042-1-tariqt%40nvidia.com?part=4
Thanks,
Dragos