From: Thinh Tran <thinhtr@linux.ibm.com>
To: jacob.e.keller@intel.com, kuba@kernel.org
Cc: netdev@vger.kernel.org, VENKATA.SAI.DUGGI@ibm.com,
abdhalee@in.ibm.com, aelior@marvell.com, davem@davemloft.net,
drc@linux.vnet.ibm.com, edumazet@google.com, manishc@marvell.com,
pabeni@redhat.com, simon.horman@corigine.com,
skalluru@marvell.com, Thinh Tran <thinhtr@linux.ibm.com>
Subject: [PATCH v11] net/bnx2x: Prevent access to a freed page in page_pool
Date: Fri, 15 Mar 2024 15:55:35 -0500 [thread overview]
Message-ID: <20240315205535.1321-1-thinhtr@linux.ibm.com> (raw)
Fix race condition leading to system crash during EEH error handling
During EEH error recovery, the bnx2x driver's transmit timeout logic
could cause a race condition when handling reset tasks. The
bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),
which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()
SGEs are freed using bnx2x_free_rx_sge_range(). However, this could
overlap with the EEH driver's attempt to reset the device using
bnx2x_io_slot_reset(), which also tries to free SGEs. This race
condition can result in system crashes due to accessing freed memory
locations in bnx2x_free_rx_sge()
799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,
800 struct bnx2x_fastpath *fp, u16 index)
801 {
802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index];
803 struct page *page = sw_buf->page;
....
where sw_buf was set to NULL after the call to dma_unmap_page()
by the preceding thread.
[ 793.003930] EEH: Beginning: 'slot_reset'
[ 793.003937] PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()
[ 793.003939] bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...
[ 793.004037] bnx2x 0011:01:00.0: enabling device (0140 -> 0142)
[ 793.008839] bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload
[ 793.122134] Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
[ 793.122143] BUG: Kernel NULL pointer dereference on read at 0x00000000
[ 793.122147] Faulting instruction address: 0xc0080000025065fc
[ 793.122152] Oops: Kernel access of bad area, sig: 11 [#1]
.....
[ 793.122315] Call Trace:
[ 793.122318] [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)
[ 793.122331] [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0
[ 793.122338] [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550
[ 793.122342] [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60
[ 793.122347] [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170
[ 793.122352] [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0
[ 793.122356] [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
To solve this issue, we need to verify page pool allocations before
freeing.
Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element")
Signed-off-by: Thinh Tran <thinhtr@linux.ibm.com>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
index d8b1824c334d..0bc1367fd649 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
@@ -1002,9 +1002,6 @@ static inline void bnx2x_set_fw_mac_addr(__le16 *fw_hi, __le16 *fw_mid,
static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp,
struct bnx2x_alloc_pool *pool)
{
- if (!pool->page)
- return;
-
put_page(pool->page);
pool->page = NULL;
@@ -1015,6 +1012,9 @@ static inline void bnx2x_free_rx_sge_range(struct bnx2x *bp,
{
int i;
+ if (!fp->page_pool.page)
+ return;
+
if (fp->mode == TPA_MODE_DISABLED)
return;
--
2.25.1
next reply other threads:[~2024-03-15 20:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-15 20:55 Thinh Tran [this message]
2024-03-18 11:46 ` [PATCH v11] net/bnx2x: Prevent access to a freed page in page_pool Jiri Pirko
2024-03-20 3:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240315205535.1321-1-thinhtr@linux.ibm.com \
--to=thinhtr@linux.ibm.com \
--cc=VENKATA.SAI.DUGGI@ibm.com \
--cc=abdhalee@in.ibm.com \
--cc=aelior@marvell.com \
--cc=davem@davemloft.net \
--cc=drc@linux.vnet.ibm.com \
--cc=edumazet@google.com \
--cc=jacob.e.keller@intel.com \
--cc=kuba@kernel.org \
--cc=manishc@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=simon.horman@corigine.com \
--cc=skalluru@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).