mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/net/ethernet/mellanox/mlx5/core
History
Shay Drory 9c2d080109 net/mlx5: Free irqs only on shutdown callback 
Whenever a shutdown is invoked, free irqs only and keep mlx5_irq
synthetic wrapper intact in order to avoid use-after-free on
system shutdown.

for example:
==================================================================
BUG: KASAN: use-after-free in _find_first_bit+0x66/0x80
Read of size 8 at addr ffff88823fc0d318 by task kworker/u192:0/13608

CPU: 25 PID: 13608 Comm: kworker/u192:0 Tainted: G    B   W  O  6.1.21-cloudflare-kasan-2023.3.21 #1
Hardware name: GIGABYTE R162-R2-GEN0/MZ12-HD2-CD, BIOS R14 05/03/2021
Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]
Call Trace:
  <TASK>
  dump_stack_lvl+0x34/0x48
  print_report+0x170/0x473
  ? _find_first_bit+0x66/0x80
  kasan_report+0xad/0x130
  ? _find_first_bit+0x66/0x80
  _find_first_bit+0x66/0x80
  mlx5e_open_channels+0x3c5/0x3a10 [mlx5_core]
  ? console_unlock+0x2fa/0x430
  ? _raw_spin_lock_irqsave+0x8d/0xf0
  ? _raw_spin_unlock_irqrestore+0x42/0x80
  ? preempt_count_add+0x7d/0x150
  ? __wake_up_klogd.part.0+0x7d/0xc0
  ? vprintk_emit+0xfe/0x2c0
  ? mlx5e_trigger_napi_sched+0x40/0x40 [mlx5_core]
  ? dev_attr_show.cold+0x35/0x35
  ? devlink_health_do_dump.part.0+0x174/0x340
  ? devlink_health_report+0x504/0x810
  ? mlx5e_reporter_tx_timeout+0x29d/0x3a0 [mlx5_core]
  ? mlx5e_tx_timeout_work+0x17c/0x230 [mlx5_core]
  ? process_one_work+0x680/0x1050
  mlx5e_safe_switch_params+0x156/0x220 [mlx5_core]
  ? mlx5e_switch_priv_channels+0x310/0x310 [mlx5_core]
  ? mlx5_eq_poll_irq_disabled+0xb6/0x100 [mlx5_core]
  mlx5e_tx_reporter_timeout_recover+0x123/0x240 [mlx5_core]
  ? __mutex_unlock_slowpath.constprop.0+0x2b0/0x2b0
  devlink_health_reporter_recover+0xa6/0x1f0
  devlink_health_report+0x2f7/0x810
  ? vsnprintf+0x854/0x15e0
  mlx5e_reporter_tx_timeout+0x29d/0x3a0 [mlx5_core]
  ? mlx5e_reporter_tx_err_cqe+0x1a0/0x1a0 [mlx5_core]
  ? mlx5e_tx_reporter_timeout_dump+0x50/0x50 [mlx5_core]
  ? mlx5e_tx_reporter_dump_sq+0x260/0x260 [mlx5_core]
  ? newidle_balance+0x9b7/0xe30
  ? psi_group_change+0x6a7/0xb80
  ? mutex_lock+0x96/0xf0
  ? __mutex_lock_slowpath+0x10/0x10
  mlx5e_tx_timeout_work+0x17c/0x230 [mlx5_core]
  process_one_work+0x680/0x1050
  worker_thread+0x5a0/0xeb0
  ? process_one_work+0x1050/0x1050
  kthread+0x2a2/0x340
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x22/0x30
  </TASK>

Freed by task 1:
  kasan_save_stack+0x23/0x50
  kasan_set_track+0x21/0x30
  kasan_save_free_info+0x2a/0x40
  ____kasan_slab_free+0x169/0x1d0
  slab_free_freelist_hook+0xd2/0x190
  __kmem_cache_free+0x1a1/0x2f0
  irq_pool_free+0x138/0x200 [mlx5_core]
  mlx5_irq_table_destroy+0xf6/0x170 [mlx5_core]
  mlx5_core_eq_free_irqs+0x74/0xf0 [mlx5_core]
  shutdown+0x194/0x1aa [mlx5_core]
  pci_device_shutdown+0x75/0x120
  device_shutdown+0x35c/0x620
  kernel_restart+0x60/0xa0
  __do_sys_reboot+0x1cb/0x2c0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x4b/0xb5

The buggy address belongs to the object at ffff88823fc0d300
  which belongs to the cache kmalloc-192 of size 192
The buggy address is located 24 bytes inside of
  192-byte region [ffff88823fc0d300, ffff88823fc0d3c0)

The buggy address belongs to the physical page:
page:0000000010139587 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x23fc0c
head:0000000010139587 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)
raw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004ca00
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88823fc0d200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88823fc0d280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 >ffff88823fc0d300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff88823fc0d380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  ffff88823fc0d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
general protection fault, probably for non-canonical address
0xdffffc005c40d7ac: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x00000002e206bd60-0x00000002e206bd67]
CPU: 25 PID: 13608 Comm: kworker/u192:0 Tainted: G    B   W  O  6.1.21-cloudflare-kasan-2023.3.21 #1
Hardware name: GIGABYTE R162-R2-GEN0/MZ12-HD2-CD, BIOS R14 05/03/2021
Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]
RIP: 0010:__alloc_pages+0x141/0x5c0
Call Trace:
  <TASK>
  ? sysvec_apic_timer_interrupt+0xa0/0xc0
  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
  ? __alloc_pages_slowpath.constprop.0+0x1ec0/0x1ec0
  ? _raw_spin_unlock_irqrestore+0x3d/0x80
  __kmalloc_large_node+0x80/0x120
  ? kvmalloc_node+0x4e/0x170
  __kmalloc_node+0xd4/0x150
  kvmalloc_node+0x4e/0x170
  mlx5e_open_channels+0x631/0x3a10 [mlx5_core]
  ? console_unlock+0x2fa/0x430
  ? _raw_spin_lock_irqsave+0x8d/0xf0
  ? _raw_spin_unlock_irqrestore+0x42/0x80
  ? preempt_count_add+0x7d/0x150
  ? __wake_up_klogd.part.0+0x7d/0xc0
  ? vprintk_emit+0xfe/0x2c0
  ? mlx5e_trigger_napi_sched+0x40/0x40 [mlx5_core]
  ? dev_attr_show.cold+0x35/0x35
  ? devlink_health_do_dump.part.0+0x174/0x340
  ? devlink_health_report+0x504/0x810
  ? mlx5e_reporter_tx_timeout+0x29d/0x3a0 [mlx5_core]
  ? mlx5e_tx_timeout_work+0x17c/0x230 [mlx5_core]
  ? process_one_work+0x680/0x1050
  mlx5e_safe_switch_params+0x156/0x220 [mlx5_core]
  ? mlx5e_switch_priv_channels+0x310/0x310 [mlx5_core]
  ? mlx5_eq_poll_irq_disabled+0xb6/0x100 [mlx5_core]
  mlx5e_tx_reporter_timeout_recover+0x123/0x240 [mlx5_core]
  ? __mutex_unlock_slowpath.constprop.0+0x2b0/0x2b0
  devlink_health_reporter_recover+0xa6/0x1f0
  devlink_health_report+0x2f7/0x810
  ? vsnprintf+0x854/0x15e0
  mlx5e_reporter_tx_timeout+0x29d/0x3a0 [mlx5_core]
  ? mlx5e_reporter_tx_err_cqe+0x1a0/0x1a0 [mlx5_core]
  ? mlx5e_tx_reporter_timeout_dump+0x50/0x50 [mlx5_core]
  ? mlx5e_tx_reporter_dump_sq+0x260/0x260 [mlx5_core]
  ? newidle_balance+0x9b7/0xe30
  ? psi_group_change+0x6a7/0xb80
  ? mutex_lock+0x96/0xf0
  ? __mutex_lock_slowpath+0x10/0x10
  mlx5e_tx_timeout_work+0x17c/0x230 [mlx5_core]
  process_one_work+0x680/0x1050
  worker_thread+0x5a0/0xeb0
  ? process_one_work+0x1050/0x1050
  kthread+0x2a2/0x340
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x22/0x30
  </TASK>
---[ end trace 0000000000000000  ]---
RIP: 0010:__alloc_pages+0x141/0x5c0
Code: e0 39 a3 96 89 e9 b8 22 01 32 01 83 e1 0f 48 89 fa 01 c9 48 c1 ea
03 d3 f8 83 e0 03 89 44 24 6c 48 b8 00 00 00 00 00 fc ff df <80> 3c 02
00 0f 85 fc 03 00 00 89 e8 4a 8b 14 f5 e0 39 a3 96 4c 89
RSP: 0018:ffff888251f0f438 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1104a3e1e8b RCX: 0000000000000000
RDX: 000000005c40d7ac RSI: 0000000000000003 RDI: 00000002e206bd60
RBP: 0000000000052dc0 R08: ffff8882b0044218 R09: ffff8882b0045e8a
R10: fffffbfff300fefc R11: ffff888167af4000 R12: 0000000000000003
R13: 0000000000000000 R14: 00000000696c7070 R15: ffff8882373f4380
FS:  0000000000000000(0000) GS:ffff88bf2be80000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005641d031eee8 CR3: 0000002e7ca14000 CR4: 0000000000350ee0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x11000000 from 0xffffffff81000000 (relocation range:
0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception  ]---]

Reported-by: Frederick Lawler <fred@cloudflare.com>
Link: https://lore.kernel.org/netdev/be5b9271-7507-19c5-ded1-fa78f1980e69@cloudflare.com
Signed-off-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
 		2023-05-22 22:38:06 -07:00
..
diag net/mlx5: Add vnic devlink health reporter to PFs/VFs 2023-04-20 18:35:49 -07:00
en net/mlx5e: Fix SQ wake logic in ptp napi_poll context 2023-05-22 22:38:05 -07:00
en_accel Networking changes for 6.4. 2023-04-26 16:07:23 -07:00
esw Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-26 10:17:46 +02:00
fpga
ipoib net/mlx5e: Don't cache tunnel offloads capability 2023-03-15 15:50:15 -07:00
lag net/mlx5: Lag, Add single RDMA device in multiport mode 2023-02-14 14:08:25 -08:00
lib net/mlx5: Devcom, serialize devcom registration 2023-05-22 22:38:06 -07:00
sf net/mlx5: Create a new profile for SFs 2023-04-11 20:57:37 -07:00
steering net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE 2023-05-22 22:38:05 -07:00
Kconfig net/mlx5: Kconfig: Make tc offload depend on tc skb extension 2023-02-20 16:46:10 -08:00
Makefile net/mlx5: Add vnic devlink health reporter to PFs/VFs 2023-04-20 18:35:49 -07:00
alloc.c
cmd.c net/mlx5: Collect command failures data only for known commands 2023-05-22 22:38:04 -07:00
cq.c
debugfs.c net/mlx5: Expose SF firmware pages counter 2023-02-07 19:01:06 -08:00
dev.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-20 16:29:51 -07:00
devlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-26 10:17:46 +02:00
devlink.h mlx5-updates-2023-03-20 2023-03-28 23:52:12 -07:00
ecpf.c Revert "net/mlx5: Enable management PF initialization" 2023-04-19 18:51:28 -07:00
ecpf.h
en.h net/mlx5e: RX, Add XDP multi-buffer support in Striding RQ 2023-04-19 08:59:27 +01:00
en_arfs.c
en_common.c RDMA/mlx5: Allow relaxed ordering read in VFs and VMs 2023-04-16 13:29:26 +03:00
en_dcbnl.c net/mlx5: Read the TC mapping of all priorities on ETS query 2023-03-21 14:06:32 -07:00
en_dim.c
en_ethtool.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-03-17 16:29:25 -07:00
en_fs.c net/mlx5e: Nullify table pointer when failing to create 2023-04-20 18:47:33 -07:00
en_fs_ethtool.c
en_main.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-26 10:17:46 +02:00
en_rep.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-26 10:17:46 +02:00
en_rep.h net/mlx5e: Add vnic devlink health reporter to representors 2023-04-20 18:35:49 -07:00
en_rx.c net/mlx5e: RX, Fix XDP_TX page release for legacy rq nonlinear case 2023-04-20 18:35:49 -07:00
en_selftest.c
en_stats.c net/mlx5e: RX, Remove unnecessary recycle parameter and page_cache stats 2023-03-28 13:43:59 -07:00
en_stats.h net/mlx5e: RX, Remove unnecessary recycle parameter and page_cache stats 2023-03-28 13:43:59 -07:00
en_tc.c net/mlx5e: TC, Fix using eswitch mapping in nic mode 2023-05-22 22:38:06 -07:00
en_tc.h net/mlx5e: TC, Set CT miss to the specific ct action instance 2023-02-20 16:46:10 -08:00
en_tx.c net/mlx5e: Fix SQ wake logic in ptp napi_poll context 2023-05-22 22:38:05 -07:00
en_txrx.c net/mlx5e: do as little as possible in napi poll when budget is 0 2023-05-19 08:39:14 +01:00
eq.c net/mlx5: Free irqs only on shutdown callback 2023-05-22 22:38:06 -07:00
eswitch.c mlx5-updates-2023-04-20 2023-04-21 20:47:05 -07:00
eswitch.h net/mlx5: E-switch, Devcom, sync devcom events and devcom comp register 2023-05-22 22:38:06 -07:00
eswitch_offloads.c net/mlx5: E-switch, Devcom, sync devcom events and devcom comp register 2023-05-22 22:38:06 -07:00
eswitch_offloads_termtbl.c Revert "net/mlx5e: Don't use termination table when redundant" 2023-04-20 18:47:33 -07:00
events.c RDMA/mlx5: Track netdev to avoid deadlock during netdev notifier unregister 2023-02-08 20:40:57 -08:00
fs_cmd.c Merge branch 'mlx5-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux 2023-02-16 11:36:14 -08:00
fs_cmd.h
fs_core.c net/mlx5: Bridge, add per-port multicast replication tables 2023-04-11 20:57:36 -07:00
fs_core.h
fs_counters.c net/mlx5e: TC, support per action stats 2023-02-14 11:00:01 +01:00
fs_ft_pool.c
fs_ft_pool.h
fw.c net/mlx5: Prepare for fast crypto key update if hardware supports it 2023-01-30 19:10:05 -08:00
fw_reset.c net/mlx5: Use recovery timeout on sync reset flow 2023-04-20 18:47:33 -07:00
fw_reset.h
health.c net/mlx5: Add vnic devlink health reporter to PFs/VFs 2023-04-20 18:35:49 -07:00
irq_affinity.c net/mlx5: Use dynamic msix vectors allocation 2023-03-24 16:04:29 -07:00
main.c net/mlx5: Fix error message when failing to allocate device memory 2023-05-22 22:38:05 -07:00
mcg.c
mlx5_core.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-26 10:17:46 +02:00
mlx5_irq.h net/mlx5: Free irqs only on shutdown callback 2023-05-22 22:38:06 -07:00
mr.c
pagealloc.c net/mlx5: Fix setting ec_function bit in MANAGE_PAGES 2023-03-15 15:50:16 -07:00
pci_irq.c net/mlx5: Free irqs only on shutdown callback 2023-05-22 22:38:06 -07:00
pci_irq.h net/mlx5: Use dynamic msix vectors allocation 2023-03-24 16:04:29 -07:00
pd.c
port.c net/mlx5: Move needed PTYS functions to core layer 2023-03-15 22:12:08 -07:00
qos.c
qos.h
rdma.c
rdma.h
rl.c
sriov.c net/mlx5: ECPF, wait for VF pages only after disabling host PFs 2023-02-24 10:13:18 -08:00
thermal.c net/mlx5: Implement thermal zone 2023-03-15 22:09:14 -07:00
thermal.h net/mlx5: Implement thermal zone 2023-03-15 22:09:14 -07:00
transobj.c
uar.c
vport.c
wq.c
wq.h