From: Alexander Lobakin <alexandr.lobakin@intel.com>
To: Ivan Vecera <ivecera@redhat.com>
Cc: Alexander Lobakin <alexandr.lobakin@intel.com>,
netdev@vger.kernel.org,
"moderated list:INTEL ETHERNET DRIVERS"
<intel-wired-lan@lists.osuosl.org>,
mschmidt@redhat.com, Brett Creeley <brett.creeley@intel.com>,
open list <linux-kernel@vger.kernel.org>,
poros@redhat.com, Madhu Chittim <madhu.chittim@intel.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Intel-wired-lan] [PATCH net] ice: Fix use-after-free
Date: Mon, 4 Apr 2022 13:04:07 +0200 [thread overview]
Message-ID: <20220404110407.1106047-1-alexandr.lobakin@intel.com> (raw)
In-Reply-To: <20220404100615.23525-1-ivecera@redhat.com>
From: Ivan Vecera <ivecera@redhat.com>
Date: Mon, 4 Apr 2022 12:06:14 +0200
> When CONFIG_RFS_ACCEL is enabled the driver uses CPU affinity
> reverse-maps that set CPU affinity notifier in the background.
>
> If the interface is put down then ice_vsi_free_irq() is called
> via ice_vsi_close() and this clears affinity notifiers of IRQs
> associated with the VSI and old notifier's release callback
> is called - for this case this is cpu_rmap_release() that
> frees allocated cpu_rmap.
>
> During device removal (ice_remove()) free_irq_cpu_rmap() is called
> and it tries to free already de-allocated cpu_rmap.
>
> Do not clear IRQ affinity notifier in ice_vsi_free_irq() when
> CONFIG_RFS_ACCEL is enabled. This is a code-path that
> commit 28bf26724fdb ("ice: Implement aRFS") forgot to handle.
Hey, thanks for the fix!
I posted a patch which supercedes these changes to the internal
review on Friday. I would proceed with applying mine (which I'll
submit in 2 hours, it should've waited for the internal acks first),
but for sure I can add you as 'Co-Developed-by:' if you want (or
vice versa, me as co-dev-by?).
>
> Reproducer:
> [root@host ~]# ip link set ens7f0 up
> [root@host ~]# ip link set ens7f0 down
--- 8< ---
> /* clear the affinity_mask in the IRQ descriptor */
> irq_set_affinity_hint(irq_num, NULL);
> --
> 2.35.1
Thanks,
Al
WARNING: multiple messages have this Message-ID (diff)
From: Alexander Lobakin <alexandr.lobakin@intel.com>
To: intel-wired-lan@osuosl.org
Subject: [Intel-wired-lan] [PATCH net] ice: Fix use-after-free
Date: Mon, 4 Apr 2022 13:04:07 +0200 [thread overview]
Message-ID: <20220404110407.1106047-1-alexandr.lobakin@intel.com> (raw)
In-Reply-To: <20220404100615.23525-1-ivecera@redhat.com>
From: Ivan Vecera <ivecera@redhat.com>
Date: Mon, 4 Apr 2022 12:06:14 +0200
> When CONFIG_RFS_ACCEL is enabled the driver uses CPU affinity
> reverse-maps that set CPU affinity notifier in the background.
>
> If the interface is put down then ice_vsi_free_irq() is called
> via ice_vsi_close() and this clears affinity notifiers of IRQs
> associated with the VSI and old notifier's release callback
> is called - for this case this is cpu_rmap_release() that
> frees allocated cpu_rmap.
>
> During device removal (ice_remove()) free_irq_cpu_rmap() is called
> and it tries to free already de-allocated cpu_rmap.
>
> Do not clear IRQ affinity notifier in ice_vsi_free_irq() when
> CONFIG_RFS_ACCEL is enabled. This is a code-path that
> commit 28bf26724fdb ("ice: Implement aRFS") forgot to handle.
Hey, thanks for the fix!
I posted a patch which supercedes these changes to the internal
review on Friday. I would proceed with applying mine (which I'll
submit in 2 hours, it should've waited for the internal acks first),
but for sure I can add you as 'Co-Developed-by:' if you want (or
vice versa, me as co-dev-by?).
>
> Reproducer:
> [root at host ~]# ip link set ens7f0 up
> [root at host ~]# ip link set ens7f0 down
--- 8< ---
> /* clear the affinity_mask in the IRQ descriptor */
> irq_set_affinity_hint(irq_num, NULL);
> --
> 2.35.1
Thanks,
Al
next prev parent reply other threads:[~2022-04-04 11:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-04 10:06 [PATCH net] ice: Fix use-after-free Ivan Vecera
2022-04-04 10:06 ` [Intel-wired-lan] " Ivan Vecera
2022-04-04 11:04 ` Alexander Lobakin [this message]
2022-04-04 11:04 ` Alexander Lobakin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220404110407.1106047-1-alexandr.lobakin@intel.com \
--to=alexandr.lobakin@intel.com \
--cc=brett.creeley@intel.com \
--cc=davem@davemloft.net \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=ivecera@redhat.com \
--cc=jeffrey.t.kirsher@intel.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=madhu.chittim@intel.com \
--cc=mschmidt@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=poros@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.