Received: by 10.213.65.68 with SMTP id h4csp547704imn; Tue, 13 Mar 2018 12:36:45 -0700 (PDT) X-Google-Smtp-Source: AG47ELv0s/4PqJqI+91bMtZQyxGc9/nf3TVqu/UiYTSBiv+kbAtGOQELZQDNZCLrj3892UrGI/O1 X-Received: by 2002:a17:902:8d8b:: with SMTP id v11-v6mr1610336plo.33.1520969805554; Tue, 13 Mar 2018 12:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520969805; cv=none; d=google.com; s=arc-20160816; b=klnR+v78h3zxbpifd3Bz4X6DGlsMDFtIhCnX4fq1UZv8oQ7VJRbqLSYzJog/oXv4mr kjnrE9xGa+W/J9erfYhf4FTh2JwtpZ58MEt2LiObsDygeYfxYukHVlw3uHa6GtFmRT9o qWMUbwodh/1p2zrOw+H6zz0RKOY/VmSA5pwnd7ZumuCK4Bfa/lmfGyE/w4v9eZD5AyCX Au+2hVLn0MuAuYYwVl6BS+XnmrsvYd2G+O2JBy0DcLvOR4ZhTB+SwnJTOFJcFnUOw6qG vvdvI59oFUjrocYq68PCmLukuKvAXsp+A7rAu0WznRfGYuoz08M8239Jw6fEQV1Is1cV rgvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=JOHRHxdXcXw1qaYfvDvc8pnH7B0ExYHHx1WD6pwt14I=; b=g7rveUgapWxraHmKGTyc+nVI/B2plEPX1adz7Foqb73E+/ATG2c0If8Bhpt6P01T2X 0M36VXDHMqjVLoAHXk97kK5WFjl+ibZWCYTOM2MyRCFCLTj7RD7+U+eZYFTJEVOMTwt8 x6qUVmO/ZdIIGahh+raG4TmY4GHv1wlLRTxJ27py/BORQNY/JFlbk8otmZWVg5eNoZm2 V8A1GtG1sXc84DvXTiwnxKt2H8+tgCSiORNXr0IGK8Q3e6UdNoH6CAn9EwejFwA56JwG cvZRJV9Ykvr/rU0upmKuLq75HDmxeQSI/9WHGY80EuYT8yOKKkJN5BUki/fuRWKGQRXa Ru4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@networkplumber-org.20150623.gappssmtp.com header.s=20150623 header.b=r8u+VZOe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7si548180pgc.571.2018.03.13.12.36.31; Tue, 13 Mar 2018 12:36:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@networkplumber-org.20150623.gappssmtp.com header.s=20150623 header.b=r8u+VZOe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752906AbeCMTfb (ORCPT + 99 others); Tue, 13 Mar 2018 15:35:31 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:39084 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752238AbeCMTf3 (ORCPT ); Tue, 13 Mar 2018 15:35:29 -0400 Received: by mail-pf0-f195.google.com with SMTP id u5so323914pfh.6 for ; Tue, 13 Mar 2018 12:35:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=JOHRHxdXcXw1qaYfvDvc8pnH7B0ExYHHx1WD6pwt14I=; b=r8u+VZOeL1zgqOTYv55dvS2ONsR9cedAbPMo9RogKg9DILXIKMkiPaH+9gm3Vd+lXC /qT9abGrk0scGdyMGQQ5g88lH8M8swE66bE40RdvFImm/vup6HfDrc2rB+J8wmtMip4z BEOxvTVKPPcidgUcjU4jWO1Jb9I5LCb9cs98k2EoNdY9nty1ksATB8m7qD0SJRseWD4K CvvunNkBtAkBSoE/y//Bq7Z7tSISk+qTKqANT7sTw3u5MHbKLSmWyOE8NzOrXAqZQJoH w6qPJQPwbLtRgK7AaTp29T1wUarpXh3lQZ1aKkHp3oPDmiKmg+EQMld+38UTAGRf4P3s FuVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JOHRHxdXcXw1qaYfvDvc8pnH7B0ExYHHx1WD6pwt14I=; b=GpRmYTTXupas586SGsXiX+0TVFeRxvunX73LpCQwYOqgSWZ0wlCz0fVh1fOXh1l93x /rJs8xZlpQEFYwuvEupaBdvji67Xn1+Js0K5cSkQE1K8CKV1FRep09rBy4icZTYpqC0/ yso86asQGB8NkDXVhTkqFlEoR5oXjvwzsvc53qG7Hu34CrKNIUdGNlPDrsduqpyLaUxp tk/Se/0WuPRYhfuV7VaXoQbawRanyHSzKNtsCdPdj9cGjkd/CPl8lfeHizoTAT5qfKv9 cIP7CzsiKMKd4FWUe2BLebfKQm3FFsI/rT4c7ZXc14kBEjWIC89MAORT7DGDW/d/gurH 4crQ== X-Gm-Message-State: AElRT7EhMjRGP8+LCMYts1aE6mgvoOQ+vMdDD/MhPxpSRX3Ezju1bXvH QTCGA3eP0pf1g+l7CoiTSAIW3A== X-Received: by 10.98.232.6 with SMTP id c6mr1676401pfi.242.1520969728929; Tue, 13 Mar 2018 12:35:28 -0700 (PDT) Received: from xeon-e3 (204-195-71-95.wavecable.com. [204.195.71.95]) by smtp.gmail.com with ESMTPSA id a17sm2034446pfc.122.2018.03.13.12.35.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 13 Mar 2018 12:35:28 -0700 (PDT) Date: Tue, 13 Mar 2018 12:35:21 -0700 From: Stephen Hemminger To: Mohammed Gamal Cc: netdev@vger.kernel.org, sthemmin@microsoft.com, otubo@redhat.com, linux-kernel@vger.kernel.org, devel@linuxdriverproject.org, vkuznets@redhat.com, davem@davemloft.net Subject: Re: [PATCH] hv_netvsc: Make sure out channel is fully opened on send Message-ID: <20180313123521.5b486da1@xeon-e3> In-Reply-To: <1520968010-20733-1-git-send-email-mgamal@redhat.com> References: <1520968010-20733-1-git-send-email-mgamal@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 13 Mar 2018 20:06:50 +0100 Mohammed Gamal wrote: > Dring high network traffic changes to network interface parameters > such as number of channels or MTU can cause a kernel panic with a NULL > pointer dereference. This is due to netvsc_device_remove() being > called and deallocating the channel ring buffers, which can then be > accessed by netvsc_send_pkt() before they're allocated on calling > netvsc_device_add() > > The patch fixes this problem by checking the channel state and returning > ENODEV if not yet opened. We also move the call to hv_ringbuf_avail_percent() > which may access the uninitialized ring buffer. > > Signed-off-by: Mohammed Gamal > --- > drivers/net/hyperv/netvsc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c > index 0265d70..44a8358 100644 > --- a/drivers/net/hyperv/netvsc.c > +++ b/drivers/net/hyperv/netvsc.c > @@ -757,7 +757,7 @@ static inline int netvsc_send_pkt( > struct netdev_queue *txq = netdev_get_tx_queue(ndev, packet->q_idx); > u64 req_id; > int ret; > - u32 ring_avail = hv_ringbuf_avail_percent(&out_channel->outbound); > + u32 ring_avail; > > nvmsg.hdr.msg_type = NVSP_MSG1_TYPE_SEND_RNDIS_PKT; > if (skb) > @@ -773,7 +773,7 @@ static inline int netvsc_send_pkt( > > req_id = (ulong)skb; > > - if (out_channel->rescind) > + if (out_channel->rescind || out_channel->state != CHANNEL_OPENED_STATE) > return -ENODEV; > > if (packet->page_buf_cnt) { > @@ -791,6 +791,7 @@ static inline int netvsc_send_pkt( > VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED); > } > > + ring_avail = hv_ringbuf_avail_percent(&out_channel->outbound); > if (ret == 0) { > atomic_inc_return(&nvchan->queue_sends); > Thanks for your patch. Yes there are races with the current update logic. The root cause goes higher up in the flow; the send queues should be stopped before netvsc_device_remove is called. Solving it where you tried to is racy and not going to work reliably. Network patches should go to netdev@vger.kernel.org You can't move the ring_avail check until after the vmbus_sendpacket because that will break the flow control logic. Instead, you should just move the avail_read check until just after the existing rescind check. Also, you shouldn't need to check for OPENED_STATE, just rescind is enough.