From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D59AC3A589 for ; Tue, 20 Aug 2019 20:25:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C911620656 for ; Tue, 20 Aug 2019 20:25:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=Mellanox.com header.i=@Mellanox.com header.b="cO9LTVJs" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731096AbfHTUY7 (ORCPT ); Tue, 20 Aug 2019 16:24:59 -0400 Received: from mail-eopbgr50051.outbound.protection.outlook.com ([40.107.5.51]:14918 "EHLO EUR03-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731086AbfHTUY6 (ORCPT ); Tue, 20 Aug 2019 16:24:58 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mXCx0dOmzMcmeSG6pIoidbr0Tz1hL3/4HD25X7UZQPAzmz3ez0dtB0q9dszUiBPWN6s3fSlc1PIpB3FGfHqAaOiCgszpqjYUpAv3hVsQdc8zAvIHkfWvOYPotj9mIHx3SwwkXLjBZJz2/nzABo+2KI8d9t+W4pBZ3hgy8EDgEHYU40pp2tRGwYWd0ocFke38jw+b2v6OUCVYvYCU+4OFiKbUi2WC9Rac/MSFKeLoOuHXrNFuxYfEfWPbMzJ4wP1+Oj2eNeb9Lx7eWt3GgWk8DhSJO2N61GfcppmXc+T+UDP4Kan0Plf7BOpb4zm9ysaZTbxcHj5hsGhWCq0/eF9a4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oQxO5mUNoOmyTTFlmnxgBdagZ4d24e2PmzGxu71bLeo=; b=g5uKvSHJOilEySd1oMDhLnh99WeVj5lajcKuvqjR5dvcX1VELm/wQrfS2AawSThnGUIESjsOKhGPFCrSIeZnlSE+9qYhFN6UBa1ZXzEP7KYvHptOOZfuwpQkTEblSi8EHgepZg7K/3uCD4PYNySbOpG1tnCmg8egq04pSjgaz8O5PCcHGkXwVrb/wvjurfRXqEAx6Rk55si+jllx83hszitBgsiOlD/tWk0RDOp+bQaJQxE21JlEiynFTgkpmwmVQMSJDtxegc9I6jAblTJIZxQtye839PzEeNIFC1qnmpX46H13xCSH+ZAkY0w4tgtLni1AePimWEjl8PuiFkQETw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mellanox.com; dmarc=pass action=none header.from=mellanox.com; dkim=pass header.d=mellanox.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oQxO5mUNoOmyTTFlmnxgBdagZ4d24e2PmzGxu71bLeo=; b=cO9LTVJs6haj0EMsy3bNIGB4eHeTC6nlBD/ZDUSK02lkS9ACMldWKTIXNlGMJVgMwORtzK+vd0AAUO32mGkAksx0eyEtWiSO+qj1cXSuW7NY29UAC2AKZxnguZpn/DVmK0OA/sNd5r/TtAHj75rgcZUcokIMiJj8OdGSXSy3sqk= Received: from DB6PR0501MB2759.eurprd05.prod.outlook.com (10.172.227.7) by DB6PR0501MB2680.eurprd05.prod.outlook.com (10.172.226.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Tue, 20 Aug 2019 20:24:38 +0000 Received: from DB6PR0501MB2759.eurprd05.prod.outlook.com ([fe80::3c28:c77d:55b0:15b2]) by DB6PR0501MB2759.eurprd05.prod.outlook.com ([fe80::3c28:c77d:55b0:15b2%5]) with mapi id 15.20.2178.018; Tue, 20 Aug 2019 20:24:38 +0000 From: Saeed Mahameed To: "David S. Miller" CC: "netdev@vger.kernel.org" , Vlad Buslov , Saeed Mahameed Subject: [net-next v2 15/16] net/mlx5e: Fix deallocation of non-fully init encap entries Thread-Topic: [net-next v2 15/16] net/mlx5e: Fix deallocation of non-fully init encap entries Thread-Index: AQHVV5VKY89Keq6wNkC2YitWBJeY3w== Date: Tue, 20 Aug 2019 20:24:38 +0000 Message-ID: <20190820202352.2995-16-saeedm@mellanox.com> References: <20190820202352.2995-1-saeedm@mellanox.com> In-Reply-To: <20190820202352.2995-1-saeedm@mellanox.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.21.0 x-originating-ip: [209.116.155.178] x-clientproxiedby: BYAPR02CA0046.namprd02.prod.outlook.com (2603:10b6:a03:54::23) To DB6PR0501MB2759.eurprd05.prod.outlook.com (2603:10a6:4:84::7) authentication-results: spf=none (sender IP is ) smtp.mailfrom=saeedm@mellanox.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3ed3e5b3-5ca5-42a7-333e-08d725ac6cd0 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020);SRVR:DB6PR0501MB2680; x-ms-traffictypediagnostic: DB6PR0501MB2680: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7219; x-forefront-prvs: 013568035E x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(4636009)(136003)(376002)(366004)(346002)(39860400002)(396003)(199004)(189003)(446003)(11346002)(486006)(86362001)(476003)(8676002)(14454004)(81156014)(8936002)(25786009)(26005)(6486002)(102836004)(386003)(53936002)(6506007)(5660300002)(36756003)(6436002)(45080400002)(478600001)(7736002)(186003)(52116002)(99286004)(76176011)(6512007)(81166006)(66066001)(2906002)(2616005)(50226002)(4326008)(5024004)(14444005)(1076003)(64756008)(66556008)(256004)(66446008)(6116002)(66946007)(3846002)(6916009)(66476007)(316002)(71190400001)(71200400001)(107886003)(305945005)(54906003);DIR:OUT;SFP:1101;SCL:1;SRVR:DB6PR0501MB2680;H:DB6PR0501MB2759.eurprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: RE3saPgtIpF6q/U6Z0iaC48CCko/bZBEmcacfiU1IkiDqhjTx7VQdUyfamzUcomYMN9EI+XW47v1W3fFJnOYTyIyuHSuVL04vvVWw8GU6F95CwfSN1Z+YCqRJUb4UexgpLXiEBjygDY1ePA2QExhiHY0qGxXodVErgVmb1fkEFj+j/kCuFMSW5oKWL0E/+nu73V3SOep3h5z272M2cY36acb1EpFh7LXuDJAQ04A8q8Gyr0XTZYZ9X+zq4qH3Z6J2GuzQCzS7QLODqk0ce7vgWd+G4mX+sPppegqnteMw8hCawGvvR5KduJC/reWZnH5WyYeveK6mdcrnfQ4+6mZKTSDLvmdVvNHlhMRkL+xbUM3ZAdWhcBjqT2G8KvbnZ4t87e8wdsE0dQz/7hPphkFr6jnATWit0b/XpYlJIZ89b4= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3ed3e5b3-5ca5-42a7-333e-08d725ac6cd0 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2019 20:24:38.8070 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: oy+fH/5hlrMs2cxNsONwksN52YmfBY5LK8/0qCIvWyb9Pu/JfwKbAw6uTmFRcYZ9PRdekuMpBVAyMZrVYt9EmA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0501MB2680 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Vlad Buslov Recent rtnl lock dependency refactoring changed encap entry attach code to insert encap entry to hash table before it was fully initialized in order to allow concurrent tc users to wait on completion for encap entry to finish initialization. That change required all the users of encap entry to obtain reference to it first and for caller that creates encap to put reference to it on error, instead of freeing the entry memory directly. However, releasing reference to such encap entry that wasn't fully initialized causes NULL pointer dereference in mlx5e_rep_encap_entry_detach() which expects e->out_dev to be set and encap to be attached to nhe: [ 1092.454517] BUG: unable to handle page fault for address: 00000000000420= e8 [ 1092.454571] #PF: supervisor read access in kernel mode [ 1092.454602] #PF: error_code(0x0000) - not-present page [ 1092.454632] PGD 800000083032c067 P4D 800000083032c067 PUD 84107d067 PMD = 0 [ 1092.454673] Oops: 0000 [#1] SMP PTI [ 1092.454697] CPU: 20 PID: 22393 Comm: tc Not tainted 5.3.0-rc3+ #589 [ 1092.454733] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0= b 03/30/2017 [ 1092.454806] RIP: 0010:mlx5e_rep_encap_entry_detach+0x1c/0x630 [mlx5_core= ] [ 1092.454845] Code: be f4 ff ff ff e9 11 ff ff ff 0f 1f 40 00 0f 1f 44 00 = 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 48 89 f3 48 83 ec 30 <48= > 8b 87 28 16 04 00 48 89 f7 48 05 d0 03 00 00 48 89 45 c8 e8 cb [ 1092.454942] RSP: 0018:ffffb6f08421f5a0 EFLAGS: 00010286 [ 1092.454974] RAX: 0000000000000000 RBX: ffff8ab668644e00 RCX: ffffb6f0842= 1f56c [ 1092.455013] RDX: ffff8ab668644e40 RSI: ffff8ab668644e00 RDI: 00000000000= 00ac0 [ 1092.455053] RBP: ffffb6f08421f5f8 R08: 0000000000000001 R09: 00000000000= 00000 [ 1092.455092] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000= 00ac0 [ 1092.455131] R13: 00000000ffffff9b R14: ffff8ab63f200ac0 R15: ffff8ab6686= 44e40 [ 1092.455171] FS: 00007fa195bdc480(0000) GS:ffff8ab66fa00000(0000) knlGS:= 0000000000000000 [ 1092.455216] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1092.455249] CR2: 00000000000420e8 CR3: 0000000867522001 CR4: 00000000001= 606e0 [ 1092.455288] Call Trace: [ 1092.455315] ? __mutex_unlock_slowpath+0x4d/0x2a0 [ 1092.455365] mlx5e_encap_dealloc.isra.0+0x31/0x60 [mlx5_core] [ 1092.455424] mlx5e_tc_add_fdb_flow+0x596/0x750 [mlx5_core] [ 1092.455484] __mlx5e_add_fdb_flow+0x152/0x210 [mlx5_core] [ 1092.455534] mlx5e_configure_flower+0x4d5/0xe30 [mlx5_core] [ 1092.455574] tc_setup_cb_call+0x67/0xb0 [ 1092.455601] fl_hw_replace_filter+0x142/0x300 [cls_flower] [ 1092.455639] fl_change+0xd24/0x1bdb [cls_flower] [ 1092.455675] tc_new_tfilter+0x3e0/0x970 [ 1092.455709] ? tc_del_tfilter+0x720/0x720 [ 1092.455735] rtnetlink_rcv_msg+0x389/0x4b0 [ 1092.455763] ? netlink_deliver_tap+0x95/0x400 [ 1092.455791] ? rtnl_dellink+0x2d0/0x2d0 [ 1092.455817] netlink_rcv_skb+0x49/0x110 [ 1092.455844] netlink_unicast+0x171/0x200 [ 1092.455872] netlink_sendmsg+0x224/0x3f0 [ 1092.455901] sock_sendmsg+0x5e/0x60 [ 1092.455924] ___sys_sendmsg+0x2ae/0x330 [ 1092.455950] ? task_work_add+0x43/0x50 [ 1092.455976] ? fput_many+0x45/0x80 [ 1092.456004] ? __lock_acquire+0x248/0x18e0 [ 1092.456033] ? find_held_lock+0x2b/0x80 [ 1092.456058] ? task_work_run+0x7b/0xd0 [ 1092.456085] __sys_sendmsg+0x59/0xa0 [ 1092.457013] do_syscall_64+0x5c/0xb0 [ 1092.457924] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1092.458842] RIP: 0033:0x7fa195da27b8 [ 1092.459918] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 = f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48= > 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 89 54 [ 1092.462634] RSP: 002b:00007fff94409298 EFLAGS: 00000246 ORIG_RAX: 000000= 000000002e [ 1092.464011] RAX: ffffffffffffffda RBX: 000000005d515b0e RCX: 00007fa195d= a27b8 [ 1092.465391] RDX: 0000000000000000 RSI: 00007fff94409300 RDI: 00000000000= 00003 [ 1092.466761] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000000= 00006 [ 1092.468121] R10: 0000000000404ec2 R11: 0000000000000246 R12: 00000000000= 00001 [ 1092.469456] R13: 0000000000480640 R14: 0000000000000016 R15: 00000000000= 00001 [ 1092.470766] Modules linked in: act_mirred act_tunnel_key cls_flower dumm= y vxlan ip6_udp_tunnel udp_tunnel sch_ingress nfsv3 nfs_acl nfs lockd grace= fscache tun bridge stp llc sunrpc rdma_ucm rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core intel_rapl_msr intel_rapl_common sb_e= dac x86_pkg_temp_thermal intel_powerclamp coretemp mlx5_core kvm_intel kvm = irqbypass crct10dif_pclmul mei_me crc32_pclmul crc32 c_intel igb iTCO_wdt ghash_clmulni_intel ses mlxfw intel_cstate iTCO_vendor= _support ptp intel_uncore lpc_ich pps_core mei i2c_i801 joydev intel_rapl_p= erf ioatdma enclosure ipmi_ssif pcspkr dca wmi ipmi_ si ipmi_devintf ipmi_msghandler acpi_pad acpi_power_meter ast i2c_algo_bit = drm_vram_helper ttm drm_kms_helper drm mpt3sas raid_class scsi_transport_sa= s [ 1092.479618] CR2: 00000000000420e8 [ 1092.481214] ---[ end trace ce2e0f4d9a67f604 ]--- To fix the issue, set e->compl_result to positive value after encap was initialized successfully. Check e->compl_result value in mlx5e_encap_dealloc() and only detach and dealloc encap if the value is positive. Fixes: d589e785baf5 ("net/mlx5e: Allow concurrent creation of encap entries= ") Signed-off-by: Vlad Buslov Signed-off-by: Saeed Mahameed --- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/= ethernet/mellanox/mlx5/core/en_tc.c index c57f7533a6d0..3917834b48ff 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c @@ -1481,10 +1481,13 @@ void mlx5e_tc_update_neigh_used_value(struct mlx5e_= neigh_hash_entry *nhe) static void mlx5e_encap_dealloc(struct mlx5e_priv *priv, struct mlx5e_enca= p_entry *e) { WARN_ON(!list_empty(&e->flows)); - mlx5e_rep_encap_entry_detach(netdev_priv(e->out_dev), e); =20 - if (e->flags & MLX5_ENCAP_ENTRY_VALID) - mlx5_packet_reformat_dealloc(priv->mdev, e->encap_id); + if (e->compl_result > 0) { + mlx5e_rep_encap_entry_detach(netdev_priv(e->out_dev), e); + + if (e->flags & MLX5_ENCAP_ENTRY_VALID) + mlx5_packet_reformat_dealloc(priv->mdev, e->encap_id); + } =20 kfree(e->encap_header); kfree(e); @@ -2919,7 +2922,7 @@ static int mlx5e_attach_encap(struct mlx5e_priv *priv= , =20 /* Protect against concurrent neigh update. */ mutex_lock(&esw->offloads.encap_tbl_lock); - if (e->compl_result) { + if (e->compl_result < 0) { err =3D -EREMOTEIO; goto out_err; } @@ -2959,6 +2962,7 @@ static int mlx5e_attach_encap(struct mlx5e_priv *priv= , e->compl_result =3D err; goto out_err; } + e->compl_result =3D 1; =20 attach_flow: flow->encaps[out_index].e =3D e; --=20 2.21.0