From: "Michael Kelley (LINUX)" <mikelley@microsoft.com>
To: Haiyang Zhang <haiyangz@microsoft.com>,
"linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: Haiyang Zhang <haiyangz@microsoft.com>,
Dexuan Cui <decui@microsoft.com>,
KY Srinivasan <kys@microsoft.com>,
Paul Rosswurm <paulros@microsoft.com>,
"olaf@aepfle.de" <olaf@aepfle.de>,
"vkuznets@redhat.com" <vkuznets@redhat.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH net, 2/2] net: mana: Fix accessing freed irq affinity_hint
Date: Sun, 29 Jan 2023 14:26:43 +0000 [thread overview]
Message-ID: <BYAPR21MB1688D54F89D19932B3654E0ED7D29@BYAPR21MB1688.namprd21.prod.outlook.com> (raw)
In-Reply-To: <1674767085-18583-3-git-send-email-haiyangz@microsoft.com>
From: LKML haiyangz <lkmlhyz@microsoft.com> On Behalf Of Haiyang Zhang Sent: Thursday, January 26, 2023 1:05 PM
>
> After calling irq_set_affinity_and_hint(), the cpumask pointer is
> saved in desc->affinity_hint, and will be used later when reading
> /proc/irq/<num>/affinity_hint. So the cpumask variable needs to be
> allocated per irq, and available until freeing the irq. Otherwise,
> we are accessing freed memory when reading the affinity_hint file.
>
> To fix the bug, allocate the cpumask per irq, and free it just
> before freeing the irq.
Since the cpumask being passed to irq_set_affinity_and_hint()
always contains exactly one CPU, the code can be considerably
simplified by using the pre-calculated and persistent masks
available as cpumask_of(cpu). All allocation of cpumasks in this
code goes away, and you can set the affinity_hint to NULL in the
cleanup and remove paths without having to free any masks.
Michael
>
> Cc: stable@vger.kernel.org
> Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes")
> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
> ---
> .../net/ethernet/microsoft/mana/gdma_main.c | 40 ++++++++++---------
> include/net/mana/gdma.h | 1 +
> 2 files changed, 23 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c
> b/drivers/net/ethernet/microsoft/mana/gdma_main.c
> index 3bae9d4c1f08..37473ae3859c 100644
> --- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
> +++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
> @@ -1219,7 +1219,6 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
> struct gdma_irq_context *gic;
> unsigned int max_irqs;
> u16 *cpus;
> - cpumask_var_t req_mask;
> int nvec, irq;
> int err, i = 0, j;
>
> @@ -1240,25 +1239,26 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
> goto free_irq_vector;
> }
>
> - if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) {
> - err = -ENOMEM;
> - goto free_irq;
> - }
> -
> cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL);
> if (!cpus) {
> err = -ENOMEM;
> - goto free_mask;
> + goto free_gic;
> }
> for (i = 0; i < nvec; i++)
> cpus[i] = cpumask_local_spread(i, gc->numa_node);
>
> for (i = 0; i < nvec; i++) {
> - cpumask_set_cpu(cpus[i], req_mask);
> gic = &gc->irq_contexts[i];
> gic->handler = NULL;
> gic->arg = NULL;
>
> + if (!zalloc_cpumask_var(&gic->cpu_hint, GFP_KERNEL)) {
> + err = -ENOMEM;
> + goto free_irq;
> + }
> +
> + cpumask_set_cpu(cpus[i], gic->cpu_hint);
> +
> if (!i)
> snprintf(gic->name, MANA_IRQ_NAME_SZ,
> "mana_hwc@pci:%s",
> pci_name(pdev));
> @@ -1269,17 +1269,18 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
> irq = pci_irq_vector(pdev, i);
> if (irq < 0) {
> err = irq;
> - goto free_mask;
> + free_cpumask_var(gic->cpu_hint);
> + goto free_irq;
> }
>
> err = request_irq(irq, mana_gd_intr, 0, gic->name, gic);
> - if (err)
> - goto free_mask;
> - irq_set_affinity_and_hint(irq, req_mask);
> - cpumask_clear(req_mask);
> + if (err) {
> + free_cpumask_var(gic->cpu_hint);
> + goto free_irq;
> + }
> +
> + irq_set_affinity_and_hint(irq, gic->cpu_hint);
> }
> - free_cpumask_var(req_mask);
> - kfree(cpus);
>
> err = mana_gd_alloc_res_map(nvec, &gc->msix_resource);
> if (err)
> @@ -1288,20 +1289,22 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
> gc->max_num_msix = nvec;
> gc->num_msix_usable = nvec;
>
> + kfree(cpus);
> return 0;
>
> -free_mask:
> - free_cpumask_var(req_mask);
> - kfree(cpus);
> free_irq:
> for (j = i - 1; j >= 0; j--) {
> irq = pci_irq_vector(pdev, j);
> gic = &gc->irq_contexts[j];
>
> irq_update_affinity_hint(irq, NULL);
> + free_cpumask_var(gic->cpu_hint);
> free_irq(irq, gic);
> }
>
> + kfree(cpus);
> +
> +free_gic:
> kfree(gc->irq_contexts);
> gc->irq_contexts = NULL;
> free_irq_vector:
> @@ -1329,6 +1332,7 @@ static void mana_gd_remove_irqs(struct pci_dev *pdev)
>
> /* Need to clear the hint before free_irq */
> irq_update_affinity_hint(irq, NULL);
> + free_cpumask_var(gic->cpu_hint);
> free_irq(irq, gic);
> }
>
> diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
> index 56189e4252da..4dcafecbd89e 100644
> --- a/include/net/mana/gdma.h
> +++ b/include/net/mana/gdma.h
> @@ -342,6 +342,7 @@ struct gdma_irq_context {
> void (*handler)(void *arg);
> void *arg;
> char name[MANA_IRQ_NAME_SZ];
> + cpumask_var_t cpu_hint;
> };
>
> struct gdma_context {
> --
> 2.25.1
next prev parent reply other threads:[~2023-01-29 14:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 21:04 [PATCH net, 0/2] Fix usage of irq affinity_hint Haiyang Zhang
2023-01-26 21:04 ` [PATCH net, 1/2] net: mana: Fix hint value before free irq Haiyang Zhang
2023-01-29 9:27 ` Leon Romanovsky
2023-01-29 18:51 ` Haiyang Zhang
2023-01-29 14:26 ` Michael Kelley (LINUX)
2023-01-29 18:54 ` Haiyang Zhang
2023-01-26 21:04 ` [PATCH net, 2/2] net: mana: Fix accessing freed irq affinity_hint Haiyang Zhang
2023-01-29 9:35 ` Leon Romanovsky
2023-01-29 14:26 ` Michael Kelley (LINUX) [this message]
2023-01-29 18:51 ` Haiyang Zhang
2023-01-29 19:05 ` Haiyang Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BYAPR21MB1688D54F89D19932B3654E0ED7D29@BYAPR21MB1688.namprd21.prod.outlook.com \
--to=mikelley@microsoft.com \
--cc=davem@davemloft.net \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olaf@aepfle.de \
--cc=paulros@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=vkuznets@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).