From patchwork Wed Sep  6 12:25:59 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 1830388
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=I7FIX21K;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RghSJ2xllz1yhc
	for <incoming@patchwork.ozlabs.org>; Wed,  6 Sep 2023 22:26:23 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qdrbo-0007Wz-2Y; Wed, 06 Sep 2023 12:26:12 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <tim.gardner@canonical.com>)
 id 1qdrbh-0007VL-S8
 for kernel-team@lists.ubuntu.com; Wed, 06 Sep 2023 12:26:06 +0000
Received: from mail-io1-f70.google.com (mail-io1-f70.google.com
 [209.85.166.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id A31F03F637
 for <kernel-team@lists.ubuntu.com>; Wed,  6 Sep 2023 12:26:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1694003165;
 bh=+a54DpuJNYdNJG1s7DGgeXKVBY1Mdbk+z3+aVKY98XI=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=I7FIX21KHezipM+XO6ERvsy1v59dM5STbi8tVoMS9ZKGoy06jmMjiqjCr5dj7ga6k
 OKpaXUXYPS94rYl4y0cO1uyq5oWDZpHyW+TuI0Qnc2Fk8TWGB5lTu0/pb4x0/RN+pv
 V1m0BgH2WaaO4KoklsZWDOHd3J5Sbvvb2rFpX9JyboziBSPoDuik/s4h2upgNztNI6
 We6XI2iqfQR9iV6uEmT0uVCSU51NfEd8GzVprxut3thaTOQsU6XvmW/de/eX4GMiye
 M8nHNm7ACuPoF5ou5uWdXyYy3/f2Wh/uj1ByESBa0DAtyf5R8j/XO8jIF90e6ENvtm
 S+06AS7T64HPw==
Received: by mail-io1-f70.google.com with SMTP id
 ca18e2360f4ac-780addd7382so248840239f.1
 for <kernel-team@lists.ubuntu.com>; Wed, 06 Sep 2023 05:26:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1694003164; x=1694607964;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=+a54DpuJNYdNJG1s7DGgeXKVBY1Mdbk+z3+aVKY98XI=;
 b=KXGS2Iy70A6jyZFMojwxezExVu6JyFhY/vG0ZN9DyxGaflVutcpQYK5nZ4K/G1IqWw
 2I1Y64RwNkubh/rkaqzk6yuNMHnMD5++6A+BzI4vU9v8NiXA2fMCG0zWIzmeHqPSHP6C
 iJvM5hfamdqZMRXR0CVujOHLJh3jxFNP/bg3KY98JdK9UAZqD3rQwxMTqlcbe0APmfnN
 tQDJh+bT5bSOuxubVl1bE9b7ikCONCcgDNToZnTfrhrtKKA90qGRmZobBE4uEXHBYSjT
 PODRxWGeRq9nDvnxzjeJhwy7CSUPUTxscTHVVvk3FpT08iw7bmKBq0oyV0Iux1ZNESvV
 +BLg==
X-Gm-Message-State: AOJu0YzBWgcoGEFEJAqJrnz/sohmRZ7h79L3K7SWAPnKeL93PAAlFssn
 tZlfDw5PRB6Yy9n5RUPyjbLoyo2jYruFGi6bM96q5BbsYQ7lzn0IaVCqhxd55DKsEuDY32zkBr6
 wvidPpnGNR6cJkodQ4umVBhegj3j2OBvD1kzOSLow9Iv8goDgYQ==
X-Received: by 2002:a5e:8818:0:b0:795:1c40:a24e with SMTP id
 l24-20020a5e8818000000b007951c40a24emr17685570ioj.12.1694003164130;
 Wed, 06 Sep 2023 05:26:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFwUTe4oFz6JwqtZ2YpVViCnGwzQ8XzhkpUQRT73MVDKjQhgStomBu1lPgZXOMh19/C0SkV6A==
X-Received: by 2002:a5e:8818:0:b0:795:1c40:a24e with SMTP id
 l24-20020a5e8818000000b007951c40a24emr17685560ioj.12.1694003163931;
 Wed, 06 Sep 2023 05:26:03 -0700 (PDT)
Received: from smtp.gmail.com (174-045-099-030.res.spectrum.com.
 [174.45.99.30]) by smtp.gmail.com with ESMTPSA id
 n4-20020a02a904000000b00430cf006d9bsm4621119jam.30.2023.09.06.05.26.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 06 Sep 2023 05:26:03 -0700 (PDT)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH] net: mana: Fix accessing freed irq affinity_hint
Date: Wed,  6 Sep 2023 06:25:59 -0600
Message-Id: <20230906122559.8246-2-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230906122559.8246-1-tim.gardner@canonical.com>
References: <20230906122559.8246-1-tim.gardner@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Haiyang Zhang <haiyangz@microsoft.com>

BugLink: https://bugs.launchpad.net/bugs/2007417

After calling irq_set_affinity_and_hint(), the cpumask pointer is
saved in desc->affinity_hint, and will be used later when reading
/proc/irq/<num>/affinity_hint. So the cpumask variable needs to be
persistent. Otherwise, we are accessing freed memory when reading
the affinity_hint file.

Also, need to clear affinity_hint before free_irq(), otherwise there
is a one-time warning and stack trace during module unloading:

 [  243.948687] WARNING: CPU: 10 PID: 1589 at kernel/irq/manage.c:1913 free_irq+0x318/0x360
 ...
 [  243.948753] Call Trace:
 [  243.948754]  <TASK>
 [  243.948760]  mana_gd_remove_irqs+0x78/0xc0 [mana]
 [  243.948767]  mana_gd_remove+0x3e/0x80 [mana]
 [  243.948773]  pci_device_remove+0x3d/0xb0
 [  243.948778]  device_remove+0x46/0x70
 [  243.948782]  device_release_driver_internal+0x1fe/0x280
 [  243.948785]  driver_detach+0x4e/0xa0
 [  243.948787]  bus_remove_driver+0x70/0xf0
 [  243.948789]  driver_unregister+0x35/0x60
 [  243.948792]  pci_unregister_driver+0x44/0x90
 [  243.948794]  mana_driver_exit+0x14/0x3fe [mana]
 [  243.948800]  __do_sys_delete_module.constprop.0+0x185/0x2f0

To fix the bug, use the persistent mask, cpumask_of(cpu#), and set
affinity_hint to NULL before freeing the IRQ, as required by free_irq().

Cc: stable@vger.kernel.org
Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/1675718929-19565-1-git-send-email-haiyangz@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 18a048370b06a3a521219e9e5b10bdc2178ef19c)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 .../net/ethernet/microsoft/mana/gdma_main.c   | 37 ++++++-------------
 1 file changed, 11 insertions(+), 26 deletions(-)

diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index b144f2237748..f9b8f372ec8a 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -1217,9 +1217,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
 	unsigned int max_queues_per_port = num_online_cpus();
 	struct gdma_context *gc = pci_get_drvdata(pdev);
 	struct gdma_irq_context *gic;
-	unsigned int max_irqs;
-	u16 *cpus;
-	cpumask_var_t req_mask;
+	unsigned int max_irqs, cpu;
 	int nvec, irq;
 	int err, i = 0, j;
 
@@ -1240,21 +1238,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
 		goto free_irq_vector;
 	}
 
-	if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) {
-		err = -ENOMEM;
-		goto free_irq;
-	}
-
-	cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL);
-	if (!cpus) {
-		err = -ENOMEM;
-		goto free_mask;
-	}
-	for (i = 0; i < nvec; i++)
-		cpus[i] = cpumask_local_spread(i, gc->numa_node);
-
 	for (i = 0; i < nvec; i++) {
-		cpumask_set_cpu(cpus[i], req_mask);
 		gic = &gc->irq_contexts[i];
 		gic->handler = NULL;
 		gic->arg = NULL;
@@ -1269,17 +1253,16 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
 		irq = pci_irq_vector(pdev, i);
 		if (irq < 0) {
 			err = irq;
-			goto free_mask;
+			goto free_irq;
 		}
 
 		err = request_irq(irq, mana_gd_intr, 0, gic->name, gic);
 		if (err)
-			goto free_mask;
-		irq_set_affinity_and_hint(irq, req_mask);
-		cpumask_clear(req_mask);
+			goto free_irq;
+
+		cpu = cpumask_local_spread(i, gc->numa_node);
+		irq_set_affinity_and_hint(irq, cpumask_of(cpu));
 	}
-	free_cpumask_var(req_mask);
-	kfree(cpus);
 
 	err = mana_gd_alloc_res_map(nvec, &gc->msix_resource);
 	if (err)
@@ -1290,13 +1273,12 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
 
 	return 0;
 
-free_mask:
-	free_cpumask_var(req_mask);
-	kfree(cpus);
 free_irq:
 	for (j = i - 1; j >= 0; j--) {
 		irq = pci_irq_vector(pdev, j);
 		gic = &gc->irq_contexts[j];
+
+		irq_update_affinity_hint(irq, NULL);
 		free_irq(irq, gic);
 	}
 
@@ -1324,6 +1306,9 @@ static void mana_gd_remove_irqs(struct pci_dev *pdev)
 			continue;
 
 		gic = &gc->irq_contexts[i];
+
+		/* Need to clear the hint before free_irq */
+		irq_update_affinity_hint(irq, NULL);
 		free_irq(irq, gic);
 	}