Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/1613107/?format=api
{ "id": 1613107, "url": "http://patchwork.ozlabs.org/api/patches/1613107/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20220404161509.3489310-1-alexandr.lobakin@intel.com/", "project": { "id": 46, "url": "http://patchwork.ozlabs.org/api/projects/46/?format=api", "name": "Intel Wired Ethernet development", "link_name": "intel-wired-lan", "list_id": "intel-wired-lan.osuosl.org", "list_email": "intel-wired-lan@osuosl.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20220404161509.3489310-1-alexandr.lobakin@intel.com>", "list_archive_url": null, "date": "2022-04-04T16:15:09", "name": "[v2,net] ice: arfs: fix use-after-free when freeing @rx_cpu_rmap", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "7938972ff85acc12aedd7d9219f605c5e1453704", "submitter": { "id": 82933, "url": "http://patchwork.ozlabs.org/api/people/82933/?format=api", "name": "Alexander Lobakin", "email": "alexandr.lobakin@intel.com" }, "delegate": { "id": 109701, "url": "http://patchwork.ozlabs.org/api/users/109701/?format=api", "username": "anguy11", "first_name": "Anthony", "last_name": "Nguyen", "email": "anthony.l.nguyen@intel.com" }, "mbox": "http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20220404161509.3489310-1-alexandr.lobakin@intel.com/mbox/", "series": [ { "id": 293448, "url": "http://patchwork.ozlabs.org/api/series/293448/?format=api", "web_url": "http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=293448", "date": "2022-04-04T16:15:09", "name": "[v2,net] ice: arfs: fix use-after-free when freeing @rx_cpu_rmap", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/293448/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/1613107/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/1613107/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<intel-wired-lan-bounces@osuosl.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "intel-wired-lan@lists.osuosl.org" ], "Authentication-Results": [ "bilbo.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=FXWfoT2H;\n\tdkim-atps=neutral", "ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org; receiver=<UNKNOWN>)" ], "Received": [ "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby bilbo.ozlabs.org (Postfix) with ESMTPS id 4KXGCK2Xy0z9sFy\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 5 Apr 2022 02:17:49 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id 1152E404D1;\n\tMon, 4 Apr 2022 16:17:47 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n\tby localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id P8zd_XrAuj8K; Mon, 4 Apr 2022 16:17:46 +0000 (UTC)", "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id E5D37404F8;\n\tMon, 4 Apr 2022 16:17:45 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n by ash.osuosl.org (Postfix) with ESMTP id CDC191BF983\n for <intel-wired-lan@lists.osuosl.org>; Mon, 4 Apr 2022 16:17:44 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id B431A404D1\n for <intel-wired-lan@lists.osuosl.org>; Mon, 4 Apr 2022 16:17:44 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n with ESMTP id mUTYC7_1luck for <intel-wired-lan@lists.osuosl.org>;\n Mon, 4 Apr 2022 16:17:43 +0000 (UTC)", "from mga14.intel.com (mga14.intel.com [192.55.52.115])\n by smtp2.osuosl.org (Postfix) with ESMTPS id B706D4017C\n for <intel-wired-lan@lists.osuosl.org>; Mon, 4 Apr 2022 16:17:43 +0000 (UTC)", "from fmsmga008.fm.intel.com ([10.253.24.58])\n by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 04 Apr 2022 09:17:43 -0700", "from irvmail001.ir.intel.com ([10.43.11.63])\n by fmsmga008.fm.intel.com with ESMTP; 04 Apr 2022 09:17:39 -0700", "from newjersey.igk.intel.com (newjersey.igk.intel.com\n [10.102.20.203])\n by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id\n 234GHcxh011369; Mon, 4 Apr 2022 17:17:38 +0100" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "domain auto-whitelisted by SQLgrey-1.8.0", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1649089063; x=1680625063;\n h=from:to:cc:subject:date:message-id:mime-version:\n content-transfer-encoding;\n bh=1wJZoCCNHZ3CajDhfpvf9vTq2hjXZH2ZVKNWz+NWKB8=;\n b=FXWfoT2HB++6WTHED4i37BTJaMen3dic2LrxRyBvvooE+zXFEj2f2m3a\n ss+6wIkzmKbqHCfYXVEXyXGxLRiiNPjwY/92laC/M9QZfbsikAiY/J3zP\n 5Ko/8vu9gT0nElpqKG3ETTho2yEq1buTvaf1zabYoBbhL18pSWsHWGsK6\n bbYQ/LrTjg217eERljBKxv28xemGU7li7ys6EqDjc7BYWVLBT8n25GaHU\n GFAu2Ljchw0ChL61l/ULo/YFzkBWzHzp+KyFzYdjtEdAcr1MCUL+y8DLH\n 3GGNkepQXviPZS6jdHviQ/vQK/oiVaxdOBX1hL/XQdGl8NfC6tU50sTXp Q==;", "X-IronPort-AV": [ "E=McAfee;i=\"6200,9189,10307\"; a=\"260731001\"", "E=Sophos;i=\"5.90,234,1643702400\"; d=\"scan'208\";a=\"260731001\"", "E=Sophos;i=\"5.90,234,1643702400\"; d=\"scan'208\";a=\"608090017\"" ], "X-ExtLoop1": "1", "From": "Alexander Lobakin <alexandr.lobakin@intel.com>", "To": "\"David S. Miller\" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>", "Date": "Mon, 4 Apr 2022 18:15:09 +0200", "Message-Id": "<20220404161509.3489310-1-alexandr.lobakin@intel.com>", "X-Mailer": "git-send-email 2.35.1", "MIME-Version": "1.0", "Subject": "[Intel-wired-lan] [PATCH v2 net] ice: arfs: fix use-after-free when\n freeing @rx_cpu_rmap", "X-BeenThere": "intel-wired-lan@osuosl.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>", "List-Unsubscribe": "<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>", "List-Archive": "<http://lists.osuosl.org/pipermail/intel-wired-lan/>", "List-Post": "<mailto:intel-wired-lan@osuosl.org>", "List-Help": "<mailto:intel-wired-lan-request@osuosl.org?subject=help>", "List-Subscribe": "<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>", "Cc": "Ivan Vecera <ivecera@redhat.com>, netdev@vger.kernel.org,\n Brett Creeley <brett@pensando.io>, linux-kernel@vger.kernel.org,\n Madhu Chittim <madhu.chittim@intel.com>, intel-wired-lan@lists.osuosl.org", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "intel-wired-lan-bounces@osuosl.org", "Sender": "\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>" }, "content": "The CI testing bots triggered the following splat:\n\n[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[ 718.223418] Call Trace:\n[ 718.227139]\n[ 718.230783] dump_stack_lvl+0x33/0x42\n[ 718.234431] print_address_description.constprop.9+0x21/0x170\n[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.245539] kasan_report.cold.18+0x7f/0x11b\n[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.252852] free_irq_cpu_rmap+0x53/0x80\n[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]\n[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]\n[ 718.267419] ice_rebuild+0x39c/0xb60 [ice]\n[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[ 718.278033] ? delay_tsc+0x4a/0xb0\n[ 718.281513] ? preempt_count_sub+0x14/0xc0\n[ 718.284984] ? delay_tsc+0x8f/0xb0\n[ 718.288463] ice_do_reset+0x92/0xf0 [ice]\n[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]\n[ 718.295561] pci_reset_function+0x53/0x80\n<...>\n[ 718.393035] Allocated by task 690:\n[ 718.433497] Freed by task 20834:\n[ 718.495688] Last potentially related work creation:\n[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00\n which belongs to the cache kmalloc-96 of size 96\n[ 718.574085] The buggy address is located 0 bytes inside of\n 96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[ 718.579265] The buggy address belongs to the page:\n[ 718.598905] Memory state around the buggy address:\n[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.610811] ^\n[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually.\n\nFixes: 28bf26724fdb0 (\"ice: Implement aRFS\")\nCo-developed-by: Ivan Vecera <ivecera@redhat.com>\nSigned-off-by: Ivan Vecera <ivecera@redhat.com>\nSigned-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>\n---\nFrom v1[0]:\n - remove the obsolete `!vsi->arfs_fltr_list` check from\n ice_free_cpu_rx_rmap() leading to a leak and trace (Ivan).\n\n[0] https://lore.kernel.org/netdev/20220404132832.1936529-1-alexandr.lobakin@intel.com\n---\n drivers/net/ethernet/intel/ice/ice_arfs.c | 9 ++-------\n drivers/net/ethernet/intel/ice/ice_lib.c | 5 ++++-\n drivers/net/ethernet/intel/ice/ice_main.c | 18 ++++++++----------\n 3 files changed, 14 insertions(+), 18 deletions(-)", "diff": "diff --git a/drivers/net/ethernet/intel/ice/ice_arfs.c b/drivers/net/ethernet/intel/ice/ice_arfs.c\nindex 5daade32ea62..fba178e07600 100644\n--- a/drivers/net/ethernet/intel/ice/ice_arfs.c\n+++ b/drivers/net/ethernet/intel/ice/ice_arfs.c\n@@ -577,7 +577,7 @@ void ice_free_cpu_rx_rmap(struct ice_vsi *vsi)\n {\n \tstruct net_device *netdev;\n \n-\tif (!vsi || vsi->type != ICE_VSI_PF || !vsi->arfs_fltr_list)\n+\tif (!vsi || vsi->type != ICE_VSI_PF)\n \t\treturn;\n \n \tnetdev = vsi->netdev;\n@@ -599,7 +599,7 @@ int ice_set_cpu_rx_rmap(struct ice_vsi *vsi)\n \tint base_idx, i;\n \n \tif (!vsi || vsi->type != ICE_VSI_PF)\n-\t\treturn -EINVAL;\n+\t\treturn 0;\n \n \tpf = vsi->back;\n \tnetdev = vsi->netdev;\n@@ -636,7 +636,6 @@ void ice_remove_arfs(struct ice_pf *pf)\n \tif (!pf_vsi)\n \t\treturn;\n \n-\tice_free_cpu_rx_rmap(pf_vsi);\n \tice_clear_arfs(pf_vsi);\n }\n \n@@ -653,9 +652,5 @@ void ice_rebuild_arfs(struct ice_pf *pf)\n \t\treturn;\n \n \tice_remove_arfs(pf);\n-\tif (ice_set_cpu_rx_rmap(pf_vsi)) {\n-\t\tdev_err(ice_pf_to_dev(pf), \"Failed to rebuild aRFS\\n\");\n-\t\treturn;\n-\t}\n \tice_init_arfs(pf_vsi);\n }\ndiff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c\nindex 6d6233204388..7fe4bfd7882a 100644\n--- a/drivers/net/ethernet/intel/ice/ice_lib.c\n+++ b/drivers/net/ethernet/intel/ice/ice_lib.c\n@@ -2688,6 +2688,8 @@ void ice_vsi_free_irq(struct ice_vsi *vsi)\n \t\treturn;\n \n \tvsi->irqs_ready = false;\n+\tice_free_cpu_rx_rmap(vsi);\n+\n \tice_for_each_q_vector(vsi, i) {\n \t\tu16 vector = i + base;\n \t\tint irq_num;\n@@ -2701,7 +2703,8 @@ void ice_vsi_free_irq(struct ice_vsi *vsi)\n \t\t\tcontinue;\n \n \t\t/* clear the affinity notifier in the IRQ descriptor */\n-\t\tirq_set_affinity_notifier(irq_num, NULL);\n+\t\tif (!IS_ENABLED(CONFIG_RFS_ACCEL))\n+\t\t\tirq_set_affinity_notifier(irq_num, NULL);\n \n \t\t/* clear the affinity_mask in the IRQ descriptor */\n \t\tirq_set_affinity_hint(irq_num, NULL);\ndiff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c\nindex 1d2ca39add95..24d3279df231 100644\n--- a/drivers/net/ethernet/intel/ice/ice_main.c\n+++ b/drivers/net/ethernet/intel/ice/ice_main.c\n@@ -2510,6 +2510,13 @@ static int ice_vsi_req_irq_msix(struct ice_vsi *vsi, char *basename)\n \t\tirq_set_affinity_hint(irq_num, &q_vector->affinity_mask);\n \t}\n \n+\terr = ice_set_cpu_rx_rmap(vsi);\n+\tif (err) {\n+\t\tnetdev_err(vsi->netdev, \"Failed to setup CPU RMAP on VSI %u: %pe\\n\",\n+\t\t\t vsi->vsi_num, ERR_PTR(err));\n+\t\tgoto free_q_irqs;\n+\t}\n+\n \tvsi->irqs_ready = true;\n \treturn 0;\n \n@@ -3690,20 +3697,12 @@ static int ice_setup_pf_sw(struct ice_pf *pf)\n \t */\n \tice_napi_add(vsi);\n \n-\tstatus = ice_set_cpu_rx_rmap(vsi);\n-\tif (status) {\n-\t\tdev_err(dev, \"Failed to set CPU Rx map VSI %d error %d\\n\",\n-\t\t\tvsi->vsi_num, status);\n-\t\tgoto unroll_napi_add;\n-\t}\n \tstatus = ice_init_mac_fltr(pf);\n \tif (status)\n-\t\tgoto free_cpu_rx_map;\n+\t\tgoto unroll_napi_add;\n \n \treturn 0;\n \n-free_cpu_rx_map:\n-\tice_free_cpu_rx_rmap(vsi);\n unroll_napi_add:\n \tice_tc_indir_block_unregister(vsi);\n unroll_cfg_netdev:\n@@ -5165,7 +5164,6 @@ static int __maybe_unused ice_suspend(struct device *dev)\n \t\t\tcontinue;\n \t\tice_vsi_free_q_vectors(pf->vsi[v]);\n \t}\n-\tice_free_cpu_rx_rmap(ice_get_main_vsi(pf));\n \tice_clear_interrupt_scheme(pf);\n \n \tpci_save_state(pdev);\n", "prefixes": [ "v2", "net" ] }