1 From ed791d697e66a7fc4fa8a754d2d762c3be0faf23 Mon Sep 17 00:00:00 2001
2 From: Sasha Levin <sashal@kernel.org>
3 Date: Thu, 18 Jun 2020 12:47:06 +0200
4 Subject: can: rx-offload: don't call kfree_skb() from IRQ context
6 From: Marc Kleine-Budde <mkl@pengutronix.de>
8 [ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ]
10 A CAN driver, using the rx-offload infrastructure, is reading CAN frames
11 (usually in IRQ context) from the hardware and placing it into the rx-offload
12 queue to be delivered to the networking stack via NAPI.
14 In case the rx-offload queue is full, trying to add more skbs results in the
15 skbs being dropped using kfree_skb(). If done from hard-IRQ context this
16 results in the following warning:
18 [ 682.552693] ------------[ cut here ]------------
19 [ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84
20 [ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev
21 [ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18
22 [ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
23 [ 682.589657] [<c0112628>] (unwind_backtrace) from [<c010c1c4>] (show_stack+0x10/0x14)
24 [ 682.597423] [<c010c1c4>] (show_stack) from [<c06c481c>] (dump_stack+0xe0/0x114)
25 [ 682.604759] [<c06c481c>] (dump_stack) from [<c0128f10>] (__warn+0xc0/0x10c)
26 [ 682.611742] [<c0128f10>] (__warn) from [<c0129314>] (warn_slowpath_fmt+0x5c/0xc0)
27 [ 682.619248] [<c0129314>] (warn_slowpath_fmt) from [<c0b95dec>] (skb_release_head_state+0x74/0x84)
28 [ 682.628143] [<c0b95dec>] (skb_release_head_state) from [<c0b95e08>] (skb_release_all+0xc/0x24)
29 [ 682.636774] [<c0b95e08>] (skb_release_all) from [<c0b95eac>] (kfree_skb+0x74/0x1c8)
30 [ 682.644479] [<c0b95eac>] (kfree_skb) from [<bf001d1c>] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev])
31 [ 682.654051] [<bf001d1c>] (can_rx_offload_queue_sorted [can_dev]) from [<bf001d6c>] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev])
32 [ 682.666007] [<bf001d6c>] (can_rx_offload_get_echo_skb [can_dev]) from [<bf01efe4>] (flexcan_irq+0x194/0x5dc [flexcan])
33 [ 682.676734] [<bf01efe4>] (flexcan_irq [flexcan]) from [<c019c1ec>] (__handle_irq_event_percpu+0x4c/0x3ec)
34 [ 682.686322] [<c019c1ec>] (__handle_irq_event_percpu) from [<c019c5b8>] (handle_irq_event_percpu+0x2c/0x88)
35 [ 682.695993] [<c019c5b8>] (handle_irq_event_percpu) from [<c019c64c>] (handle_irq_event+0x38/0x5c)
36 [ 682.704887] [<c019c64c>] (handle_irq_event) from [<c01a1058>] (handle_fasteoi_irq+0xc8/0x180)
37 [ 682.713432] [<c01a1058>] (handle_fasteoi_irq) from [<c019b2c0>] (generic_handle_irq+0x30/0x44)
38 [ 682.722063] [<c019b2c0>] (generic_handle_irq) from [<c019b8f8>] (__handle_domain_irq+0x64/0xdc)
39 [ 682.730783] [<c019b8f8>] (__handle_domain_irq) from [<c06df4a4>] (gic_handle_irq+0x48/0x9c)
40 [ 682.739158] [<c06df4a4>] (gic_handle_irq) from [<c0100b30>] (__irq_svc+0x70/0x98)
41 [ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20)
42 [ 682.751725] 9dc0: 00000001 e80e8000
43 [ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000
44 [ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff
45 [ 682.776315] [<c0100b30>] (__irq_svc) from [<c018b870>] (lock_acquire+0x108/0x4e8)
46 [ 682.783821] [<c018b870>] (lock_acquire) from [<c0e938e4>] (down_write+0x48/0xa8)
47 [ 682.791242] [<c0e938e4>] (down_write) from [<c02818dc>] (unlink_file_vma+0x24/0x40)
48 [ 682.798922] [<c02818dc>] (unlink_file_vma) from [<c027a258>] (free_pgtables+0x34/0xb8)
49 [ 682.806858] [<c027a258>] (free_pgtables) from [<c02835a4>] (exit_mmap+0xe4/0x170)
50 [ 682.814361] [<c02835a4>] (exit_mmap) from [<c01248e0>] (mmput+0x5c/0x110)
51 [ 682.821171] [<c01248e0>] (mmput) from [<c012e910>] (do_exit+0x374/0xbe4)
52 [ 682.827892] [<c012e910>] (do_exit) from [<c0130888>] (do_group_exit+0x38/0xb4)
53 [ 682.835132] [<c0130888>] (do_group_exit) from [<c0130914>] (__wake_up_parent+0x0/0x14)
54 [ 682.843063] irq event stamp: 1936
55 [ 682.846399] hardirqs last enabled at (1935): [<c02938b0>] rmqueue+0xf4/0xc64
56 [ 682.853553] hardirqs last disabled at (1936): [<c0100b20>] __irq_svc+0x60/0x98
57 [ 682.860799] softirqs last enabled at (1878): [<bf04cdcc>] raw_release+0x108/0x1f0 [can_raw]
58 [ 682.869256] softirqs last disabled at (1876): [<c0b8f478>] release_sock+0x18/0x98
59 [ 682.876753] ---[ end trace 7bca4751ce44c444 ]---
61 This patch fixes the problem by replacing the kfree_skb() by
62 dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers
65 Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak")
66 Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak")
67 Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de
68 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
69 Signed-off-by: Sasha Levin <sashal@kernel.org>
71 drivers/net/can/rx-offload.c | 4 ++--
72 1 file changed, 2 insertions(+), 2 deletions(-)
74 diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c
75 index 5f7e97d54733c..5cf4171df1f42 100644
76 --- a/drivers/net/can/rx-offload.c
77 +++ b/drivers/net/can/rx-offload.c
78 @@ -281,7 +281,7 @@ int can_rx_offload_queue_sorted(struct can_rx_offload *offload,
80 if (skb_queue_len(&offload->skb_queue) >
81 offload->skb_queue_len_max) {
83 + dev_kfree_skb_any(skb);
87 @@ -326,7 +326,7 @@ int can_rx_offload_queue_tail(struct can_rx_offload *offload,
89 if (skb_queue_len(&offload->skb_queue) >
90 offload->skb_queue_len_max) {
92 + dev_kfree_skb_any(skb);
projects / thirdparty / kernel / stable-queue.git / blob