github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-05 21:15:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
486b9eee57
linux/drivers
History
Ivan Vecera 486b9eee57 ice: Fix race during aux device (un)plugging 
Function ice_plug_aux_dev() assigns pf->adev field too early prior
aux device initialization and on other side ice_unplug_aux_dev()
starts aux device deinit and at the end assigns NULL to pf->adev.
This is wrong because pf->adev should always be non-NULL only when
aux device is fully initialized and ready. This wrong order causes
a crash when ice_send_event_to_aux() call occurs because that function
depends on non-NULL value of pf->adev and does not assume that
aux device is half-initialized or half-destroyed.
After order correction the race window is tiny but it is still there,
as Leon mentioned and manipulation with pf->adev needs to be protected
by mutex.

Fix (un-)plugging functions so pf->adev field is set after aux device
init and prior aux device destroy and protect pf->adev assignment by
new mutex. This mutex is also held during ice_send_event_to_aux()
call to ensure that aux device is valid during that call.
Note that device lock used ice_send_event_to_aux() needs to be kept
to avoid race with aux drv unload.

Reproducer:
cycle=1
while :;do
        echo "#### Cycle: $cycle"

        ip link set ens7f0 mtu 9000
        ip link add bond0 type bond mode 1 miimon 100
        ip link set bond0 up
        ifenslave bond0 ens7f0
        ip link set bond0 mtu 9000
        ethtool -L ens7f0 combined 1
        ip link del bond0
        ip link set ens7f0 mtu 1500
        sleep 1

        let cycle++
done

In short when the device is added/removed to/from bond the aux device
is unplugged/plugged. When MTU of the device is changed an event is
sent to aux device asynchronously. This can race with (un)plugging
operation and because pf->adev is set too early (plug) or too late
(unplug) the function ice_send_event_to_aux() can touch uninitialized
or destroyed fields. In the case of crash below pf->adev->dev.mutex.

Crash:
[   53.372066] bond0: (slave ens7f0): making interface the new active one
[   53.378622] bond0: (slave ens7f0): Enslaving as an active interface with an u
p link
[   53.386294] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   53.549104] bond0: (slave ens7f1): Enslaving as a backup interface with an up
 link
[   54.118906] ice 0000:ca:00.0 ens7f0: Number of in use tx queues changed inval
idating tc mappings. Priority traffic classification disabled!
[   54.233374] ice 0000:ca:00.1 ens7f1: Number of in use tx queues changed inval
idating tc mappings. Priority traffic classification disabled!
[   54.248204] bond0: (slave ens7f0): Releasing backup interface
[   54.253955] bond0: (slave ens7f1): making interface the new active one
[   54.274875] bond0: (slave ens7f1): Releasing backup interface
[   54.289153] bond0 (unregistering): Released all slaves
[   55.383179] MII link monitoring set to 100 ms
[   55.398696] bond0: (slave ens7f0): making interface the new active one
[   55.405241] BUG: kernel NULL pointer dereference, address: 0000000000000080
[   55.405289] bond0: (slave ens7f0): Enslaving as an active interface with an u
p link
[   55.412198] #PF: supervisor write access in kernel mode
[   55.412200] #PF: error_code(0x0002) - not-present page
[   55.412201] PGD 25d2ad067 P4D 0
[   55.412204] Oops: 0002 [#1] PREEMPT SMP NOPTI
[   55.412207] CPU: 0 PID: 403 Comm: kworker/0:2 Kdump: loaded Tainted: G S
           5.17.0-13579-g57f2d6540f03 #1
[   55.429094] bond0: (slave ens7f1): Enslaving as a backup interface with an up
 link
[   55.430224] Hardware name: Dell Inc. PowerEdge R750/06V45N, BIOS 1.4.4 10/07/
2021
[   55.430226] Workqueue: ice ice_service_task [ice]
[   55.468169] RIP: 0010:mutex_unlock+0x10/0x20
[   55.472439] Code: 0f b1 13 74 96 eb e0 4c 89 ee eb d8 e8 79 54 ff ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 65 48 8b 04 25 40 ef 01 00 31 d2 <f0> 48 0f b1 17 75 01 c3 e9 e3 fe ff ff 0f 1f 00 0f 1f 44 00 00 48
[   55.491186] RSP: 0018:ff4454230d7d7e28 EFLAGS: 00010246
[   55.496413] RAX: ff1a79b208b08000 RBX: ff1a79b2182e8880 RCX: 0000000000000001
[   55.503545] RDX: 0000000000000000 RSI: ff4454230d7d7db0 RDI: 0000000000000080
[   55.510678] RBP: ff1a79d1c7e48b68 R08: ff4454230d7d7db0 R09: 0000000000000041
[   55.517812] R10: 00000000000000a5 R11: 00000000000006e6 R12: ff1a79d1c7e48bc0
[   55.524945] R13: 0000000000000000 R14: ff1a79d0ffc305c0 R15: 0000000000000000
[   55.532076] FS:  0000000000000000(0000) GS:ff1a79d0ffc00000(0000) knlGS:0000000000000000
[   55.540163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   55.545908] CR2: 0000000000000080 CR3: 00000003487ae003 CR4: 0000000000771ef0
[   55.553041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   55.560173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   55.567305] PKRU: 55555554
[   55.570018] Call Trace:
[   55.572474]  <TASK>
[   55.574579]  ice_service_task+0xaab/0xef0 [ice]
[   55.579130]  process_one_work+0x1c5/0x390
[   55.583141]  ? process_one_work+0x390/0x390
[   55.587326]  worker_thread+0x30/0x360
[   55.590994]  ? process_one_work+0x390/0x390
[   55.595180]  kthread+0xe6/0x110
[   55.598325]  ? kthread_complete_and_exit+0x20/0x20
[   55.603116]  ret_from_fork+0x1f/0x30
[   55.606698]  </TASK>

Fixes: f9f5301e7e ("ice: Register auxiliary device to provide RDMA")
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Dave Ertman <david.m.ertman@intel.com>
Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2022-05-06 10:09:24 -07:00
..
accessibility
acpi Revert "ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40" 2022-04-21 19:58:14 +02:00
amba
android binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 2022-04-22 17:22:51 +02:00
ata ata: pata_marvell: Check the 'bmdma_addr' beforing reading 2022-04-22 08:45:06 +09:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-17 13:56:58 -07:00
auxdisplay auxdisplay: lcd2s: Use array size explicitly in lcd2s_gotoxy() 2022-03-18 20:31:14 +01:00
base Driver core fixes for 5.18-rc5 2022-04-30 10:24:21 -07:00
bcma Core MTD changes: 2022-03-25 13:35:34 -07:00
block floppy: disable FDRAWCMD by default 2022-04-27 09:41:54 -07:00
bluetooth Bluetooth: ath3k: remove superfluous header files 2022-03-18 17:12:09 +01:00
bus - Fix locking when accessing device MSI descriptors 2022-05-01 09:30:47 -07:00
cdrom cdrom: remove unused variable 2022-04-06 08:47:52 -06:00
char Fix some issues that were reported 2022-05-04 11:01:31 -07:00
clk Add missing sentinel, check return value and mark rtc-32k as critical 2022-04-25 16:47:24 -07:00
clocksource asm-generic updates for 5.18 2022-03-23 18:03:08 -07:00
comedi
connector
counter Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
cpufreq cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts 2022-04-26 12:08:31 +05:30
cpuidle cpuidle: riscv: support non-SMP config 2022-04-19 17:42:08 -07:00
crypto virtio: features, fixes 2022-03-31 13:57:15 -07:00
cxl cxl/pci: Drop shadowed variable 2022-04-08 12:59:43 -07:00
dax dax for 5.18 2022-03-24 18:12:09 -07:00
dca
devfreq
dio
dma dmaengine: idxd: skip clearing device context when device is read-only 2022-04-20 17:24:43 +05:30
dma-buf dma-buf: handle empty dma_fence_arrays gracefully 2022-03-29 09:14:30 +02:00
edac EDAC/synopsys: Read the error count from the correct register 2022-04-14 14:44:49 +02:00
eisa
extcon
firewire
firmware sound fixes for 5.18-rc4 2022-04-22 13:11:38 -07:00
fpga
fsi
gnss
gpio gpio: Request interrupts after IRQ is initialized 2022-04-22 13:59:19 -07:00
gpu Merge tag 'amd-drm-fixes-5.18-2022-04-27' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes 2022-04-29 10:27:05 +10:00
greybus
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2022-04-01 10:14:32 -07:00
hsi
hv hyperv-fixes for 5.18-rc2 2022-04-07 06:35:34 -10:00
hwmon hwmon: (pmbus) delta-ahe50dc-fan: work around hardware quirk 2022-04-27 04:52:18 -07:00
hwspinlock hwspinlock: sprd: Use struct_size() helper in devm_kzalloc() 2022-03-11 14:56:57 -06:00
hwtracing Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
i2c i2c: ismt: Fix undefined behavior due to shift overflowing the constant 2022-04-15 23:49:02 +02:00
i3c i3c: fix uninitialized variable use in i2c setup 2022-03-08 22:33:52 +01:00
idle intel_idle: Fix SPR C6 optimization 2022-04-27 20:36:47 +02:00
iio iio: imu: inv_icm42600: Fix I2C init possible nack 2022-04-16 15:03:58 +01:00
infiniband RDMA/hfi1: Fix use-after-free bug for mm struct 2022-04-08 15:40:06 -03:00
input Input updates for v5.18-rc3 2022-04-23 09:52:07 -07:00
interconnect interconnect: qcom: sdx55: Drop IP0 interconnects 2022-04-14 09:47:16 +03:00
iommu iommu: Make sysfs robust for non-API groups 2022-05-04 15:13:39 +02:00
ipack
irqchip irqchip/gic, gic-v3: Prevent GSI to SGI translations 2022-04-05 16:33:47 +01:00
isdn mISDN: fix typo "frame to short" -> "frame too short" 2022-03-21 13:26:38 +00:00
leds LED updates for 5.18-rc1. Nothing major here, there are two drivers 2022-03-27 14:09:48 -07:00
macintosh
mailbox mailbox: ti-msgmgr: Operate mailbox in polled mode during system suspend 2022-03-12 19:33:30 -06:00
mcb
md block-5.18-2022-04-22 2022-04-23 09:46:44 -07:00
media media: si2157: unknown chip version Si2147-A30 ROM 0x50 2022-04-09 17:45:49 +02:00
memory memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode 2022-04-21 17:00:24 +02:00
memstick
message scsi: message: fusion: Remove redundant variable dmp 2022-04-06 22:28:07 -04:00
mfd - New Drivers 2022-03-25 13:56:18 -07:00
misc eeprom: at25: Use DMA safe buffers 2022-04-24 17:25:10 +02:00
mmc mmc: core: improve API to make clear mmc_hw_reset is for cards 2022-04-08 11:00:08 +02:00
most
mtd mtd: rawnand: qcom: fix memory corruption that causes panic 2022-04-21 09:29:07 +02:00
mux
net ice: Fix race during aux device (un)plugging 2022-05-06 10:09:24 -07:00
nfc nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 2022-05-01 13:26:05 +01:00
ntb
nubus
nvdimm libnvdimm for 5.18 2022-03-30 10:04:11 -07:00
nvme nvme-pci: disable namespace identifiers for Qemu controllers 2022-04-15 06:56:17 +02:00
nvmem nvmem: brcm_nvram: parse NVRAM content into NVMEM cells 2022-03-18 14:08:36 +01:00
of Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
opp
parisc parisc: Fix CPU affinity for Lasi, WAX and Dino chips 2022-03-29 21:37:12 +02:00
parport parport_pc: Also enable driver for PCI systems 2022-03-18 14:01:41 +01:00
pci hyperv-fixes for 5.18-rc2 2022-04-07 06:35:34 -10:00
pcmcia
peci
perf arm_pmu: Validate single/group leader events 2022-04-13 11:48:45 +01:00
phy phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe() 2022-04-20 14:42:44 +05:30
pinctrl pinctrl: pistachio: fix use of irq_of_parse_and_map() 2022-04-24 16:24:09 +02:00
platform platform/x86/intel: pmc/core: change pmc_lpm_modes to static 2022-04-27 16:55:54 +02:00
pnp PNP update for 5.18-rc1 2022-03-21 14:46:01 -07:00
power power: supply: Reset err after not finding static battery 2022-04-13 12:05:22 +02:00
powercap
pps pps: generators: pps_gen_parport: Switch to use module_parport_driver() 2022-03-18 14:01:19 +01:00
ps3
ptp ptp: ocp: handle error from nvmem_device_find 2022-03-30 12:08:11 -07:00
pwm
rapidio
ras
regulator regulator: atc260x: Fix missing active_discharge_on setting 2022-04-04 08:59:43 +01:00
remoteproc remoteproc updates for v5.18 2022-03-30 10:50:48 -07:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-04 11:14:13 +02:00
rpmsg rpmsg: ctrl: Introduce new RPMSG_CREATE/RELEASE_DEV_IOCTL controls 2022-03-13 11:49:53 -05:00
rtc RTC for 5.18 2022-04-01 09:37:18 -07:00
s390 s390: cleanup timer API use 2022-03-27 22:18:39 +02:00
sbus
scsi scsi: sr: Do not leak information in ioctl 2022-04-18 22:48:31 -04:00
sh
siox
slimbus
soc soc: imx: imx8m-blk-ctrl: Fix IMX8MN_DISPBLK_PD_ISI hang 2022-04-10 09:32:08 +08:00
soundwire Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
spi spi: Fixes for v5.18 2022-04-19 10:30:43 -07:00
spmi
ssb
staging staging: r8188eu: Fix PPPoE tag insertion on little endian systems 2022-04-04 16:35:20 +02:00
target scsi: target: pscsi: Set SCF_TREAT_READ_AS_NORMAL flag only if there is valid data 2022-04-27 22:40:09 -04:00
tc
tee tee: optee: add missing mutext_destroy in optee_ffa_probe 2022-04-05 08:56:26 +02:00
thermal Merge branch 'thermal-int340x' 2022-04-28 16:51:24 +02:00
thunderbolt Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
tty tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output() 2022-04-26 08:09:46 +02:00
uio
usb usb: phy: generic: Get the vbus supply 2022-04-26 14:10:54 +02:00
vdpa virtio: fixes, cleanups 2022-04-05 10:40:52 -07:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-13 11:37:44 -06:00
vhost virtio: features, fixes 2022-03-31 13:57:15 -07:00
video fbdev fixes and updates for kernel v5.18-rc5 2022-04-26 11:32:01 -07:00
virt Random number generator fixes for Linux 5.18-rc1. 2022-03-31 14:51:34 -07:00
virtio virtio: fixes, cleanups 2022-04-05 10:40:52 -07:00
visorbus
vlynq
vme
w1 w1: w1_therm: Add support for Maxim MAX31850 thermoelement IF. 2022-03-18 14:07:09 +01:00
watchdog linux-watchdog 5.18-rc1 tag 2022-03-31 14:14:03 -07:00
xen xen: Convert kmap() to kmap_local_page() 2022-04-20 15:22:18 -05:00
zorro
Kconfig
Makefile