From: Jason Gunthorpe <jgg@ziepe.ca>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-rdma@vger.kernel.org, Adit Ranadive <aditr@vmware.com>,
VMware PV-Drivers <pv-drivers@vmware.com>,
Doug Ledford <dledford@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] vmw_pvrdma: Release netdev when vmxnet3 module is removed
Date: Tue, 3 Jul 2018 15:53:25 -0600 [thread overview]
Message-ID: <20180703215325.GA29072@ziepe.ca> (raw)
In-Reply-To: <20180629115206.18787-1-nhorman@tuxdriver.com>
On Fri, Jun 29, 2018 at 07:52:06AM -0400, Neil Horman wrote:
> On repeated module load/unload cycles, its possible for the pvrmda
> driver to encounter this crash:
>
> ...
> 297.032448] RIP: 0010:[<ffffffff839e4620>] [<ffffffff839e4620>] netdev_walk_all_upper_dev_rcu+0x50/0xb0
> [ 297.034078] RSP: 0018:ffff95087780bd08 EFLAGS: 00010286
> [ 297.034986] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff95087a0c0000
> [ 297.036196] RDX: ffff95087a0c0000 RSI: ffffffff839e44e0 RDI: ffff950835d0c000
> [ 297.037421] RBP: ffff95087780bd40 R08: ffff95087a0e0ea0 R09: abddacd03f8e0ea0
> [ 297.038636] R10: abddacd03f8e0ea0 R11: ffffef5901e9dbc0 R12: ffff95087a0c0000
> [ 297.039854] R13: ffffffff839e44e0 R14: ffff95087a0c0000 R15: ffff950835d0c828
> [ 297.041071] FS: 0000000000000000(0000) GS:ffff95087fc00000(0000) knlGS:0000000000000000
> [ 297.042443] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 297.043429] CR2: ffffffffffffffe8 CR3: 000000007a652000 CR4: 00000000003607f0
> [ 297.044674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 297.045893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 297.047109] Call Trace:
> [ 297.047545] [<ffffffff839e4698>] netdev_has_upper_dev_all_rcu+0x18/0x20
> [ 297.048691] [<ffffffffc05d31af>] is_eth_port_of_netdev+0x2f/0xa0 [ib_core]
> [ 297.049886] [<ffffffffc05d3180>] ? is_eth_active_slave_of_bonding_rcu+0x70/0x70 [ib_core]
> ...
>
> This occurs because vmw_pvrdma on probe stores a pointer to the netdev
> that exists on function 0 of the same bus/device/slot (which represents
> the vmxnet3 ethernet driver). However, it never removes this pointer if
> the vmxnet3 module is removed, leading to crashes resulting from use
> after free dereferencing incidents like the one above.
>
> The fix is pretty straightforward. vmw_pvrdma should listen for
> NETDEV_REGISTER and NETDEV_UNREGISTER events in its event listener code
> block, and update the stored netdev pointer accordingly. This solution
> has been tested by myself and the reporter with successful results.
> This fix also allows the pvrdma driver to find its underlying ethernet
> device in the event that vmxnet3 is loaded after pvrdma, which it was
> not able to do before.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: ruquin@redhat.com
> CC: Adit Ranadive <aditr@vmware.com>
> CC: VMware PV-Drivers <pv-drivers@vmware.com>
> CC: Doug Ledford <dledford@redhat.com>
> CC: Jason Gunthorpe <jgg@ziepe.ca>
> CC: linux-kernel@vger.kernel.org
> Tested-by: Adit Ranadive <aditr@vmware.com>
> Acked-by: Adit Ranadive <aditr@vmware.com>
> ---
> Change notes
>
> v2)
> * Move dev_hold in pvrda_pci_probe to below null check (aditr)
> * Add dev_puts to probe error path and pvrda_pci_remove (jgg)
> * Cleaned up some checkpatch warnings (nhorman)
> ---
> .../infiniband/hw/vmw_pvrdma/pvrdma_main.c | 39 ++++++++++++++++++-
> 1 file changed, 37 insertions(+), 2 deletions(-)
Appled to for-next
Thanks,
Jason
next prev parent reply other threads:[~2018-07-03 21:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-28 13:59 [PATCH] vmw_pvrdma: Release netdev when vmxnet3 module is removed Neil Horman
2018-06-28 18:59 ` Jason Gunthorpe
2018-06-28 19:45 ` Neil Horman
2018-06-28 20:37 ` Jason Gunthorpe
2018-06-28 21:15 ` Adit Ranadive
2018-06-29 11:33 ` Neil Horman
2018-06-29 11:21 ` Neil Horman
2018-06-29 11:52 ` [PATCH v2] " Neil Horman
2018-07-02 23:30 ` Adit Ranadive
2018-07-03 21:53 ` Jason Gunthorpe [this message]
2018-06-30 19:15 ` [PATCH] " Dan Carpenter
2018-07-01 12:18 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180703215325.GA29072@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=aditr@vmware.com \
--cc=dledford@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pv-drivers@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).