1 From foo@baz Fri Mar 15 21:00:09 PDT 2019
2 From: Jack Morgenstein <jackm@dev.mellanox.co.il>
3 Date: Tue, 12 Mar 2019 17:05:47 +0200
4 Subject: net/mlx4_core: Fix reset flow when in command polling mode
6 From: Jack Morgenstein <jackm@dev.mellanox.co.il>
8 [ Upstream commit e15ce4b8d11227007577e6dc1364d288b8874fbe ]
10 As part of unloading a device, the driver switches from
11 FW command event mode to FW command polling mode.
13 Part of switching over to polling mode is freeing the command context array
14 memory (unfortunately, currently, without NULLing the command context array
17 The reset flow calls "complete" to complete all outstanding fw commands
18 (if we are in event mode). The check for event vs. polling mode here
19 is to test if the command context array pointer is NULL.
21 If the reset flow is activated after the switch to polling mode, it will
22 attempt (incorrectly) to complete all the commands in the context array --
23 because the pointer was not NULLed when the driver switched over to polling
26 As a result, we have a use-after-free situation, which results in a
30 BUG: unable to handle kernel NULL pointer dereference at (null)
31 IP: [<ffffffff876c4a8e>] __wake_up_common+0x2e/0x90
34 Modules linked in: netconsole nfsv3 nfs_acl nfs lockd grace ...
35 CPU: 2 PID: 940 Comm: kworker/2:3 Kdump: loaded Not tainted 3.10.0-862.el7.x86_64 #1
36 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006 04/28/2016
37 Workqueue: events hv_eject_device_work [pci_hyperv]
38 task: ffff8d1734ca0fd0 ti: ffff8d17354bc000 task.ti: ffff8d17354bc000
39 RIP: 0010:[<ffffffff876c4a8e>] [<ffffffff876c4a8e>] __wake_up_common+0x2e/0x90
40 RSP: 0018:ffff8d17354bfa38 EFLAGS: 00010082
41 RAX: 0000000000000000 RBX: ffff8d17362d42c8 RCX: 0000000000000000
42 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8d17362d42c8
43 RBP: ffff8d17354bfa70 R08: 0000000000000000 R09: 0000000000000000
44 R10: 0000000000000298 R11: ffff8d173610e000 R12: ffff8d17362d42d0
45 R13: 0000000000000246 R14: 0000000000000000 R15: 0000000000000003
46 FS: 0000000000000000(0000) GS:ffff8d1802680000(0000) knlGS:0000000000000000
47 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
48 CR2: 0000000000000000 CR3: 00000000f16d8000 CR4: 00000000001406e0
50 [<ffffffff876c7adc>] complete+0x3c/0x50
51 [<ffffffffc04242f0>] mlx4_cmd_wake_completions+0x70/0x90 [mlx4_core]
52 [<ffffffffc041e7b1>] mlx4_enter_error_state+0xe1/0x380 [mlx4_core]
53 [<ffffffffc041fa4b>] mlx4_comm_cmd+0x29b/0x360 [mlx4_core]
54 [<ffffffffc041ff51>] __mlx4_cmd+0x441/0x920 [mlx4_core]
55 [<ffffffff877f62b1>] ? __slab_free+0x81/0x2f0
56 [<ffffffff87951384>] ? __radix_tree_lookup+0x84/0xf0
57 [<ffffffffc043a8eb>] mlx4_free_mtt_range+0x5b/0xb0 [mlx4_core]
58 [<ffffffffc043a957>] mlx4_mtt_cleanup+0x17/0x20 [mlx4_core]
59 [<ffffffffc04272c7>] mlx4_free_eq+0xa7/0x1c0 [mlx4_core]
60 [<ffffffffc042803e>] mlx4_cleanup_eq_table+0xde/0x130 [mlx4_core]
61 [<ffffffffc0433e08>] mlx4_unload_one+0x118/0x300 [mlx4_core]
62 [<ffffffffc0434191>] mlx4_remove_one+0x91/0x1f0 [mlx4_core]
64 The fix is to set the command context array pointer to NULL after freeing
67 Fixes: f5aef5aa3506 ("net/mlx4_core: Activate reset flow upon fatal command cases")
68 Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
69 Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
70 Signed-off-by: David S. Miller <davem@davemloft.net>
71 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
73 drivers/net/ethernet/mellanox/mlx4/cmd.c | 1 +
74 1 file changed, 1 insertion(+)
76 --- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
77 +++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
78 @@ -2677,6 +2677,7 @@ void mlx4_cmd_use_polling(struct mlx4_de
79 down(&priv->cmd.event_sem);
81 kfree(priv->cmd.context);
82 + priv->cmd.context = NULL;
84 up(&priv->cmd.poll_sem);
85 up_write(&priv->cmd.switch_sem);
projects / thirdparty / kernel / stable-queue.git / blob