Received: by 10.192.165.156 with SMTP id m28csp1102417imm; Wed, 11 Apr 2018 12:27:18 -0700 (PDT) X-Google-Smtp-Source: AIpwx49Janl7+BIhHxaGKwpXhlkarZrv61Va3XBeWWIINdAjtpLHVJvIq19YH7EVRAIuIWgSShng X-Received: by 2002:a17:902:4545:: with SMTP id m63-v6mr6398645pld.149.1523474838652; Wed, 11 Apr 2018 12:27:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523474838; cv=none; d=google.com; s=arc-20160816; b=rhof6Js1p7+g1Bx+Eie2ezMs1pWqqKeGETeKTt0Knh22E2d6Xo3OzL4qCvAiKeqTQk d9X53J8OVUH1kSMdCyMTzubHOHUFA4yCAuRBs3xBXvCU52Oyj5NcN4f7PYWm7RBR0Z8Q Bt56GIJdPnzBePPrioH6suNVUfXtC/jwb6u+24ejVRcEwTjhwTZBhmxBQuR7oqQqQgAM 97LK/QsnaxdQGslcOHbo/5paER8+cvZuLAQxiG5WrqUoEY08L25lDlNLQVLKpJLtH4vt EGogyImpTL/H7huJPq26TwnQ3F4ZlJ59gmuq5xjCfM4Nu1tt3tr9/Q0xIHNIt6jV8fHQ 7OZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=bCEfoGLl6jvDCKlBy24evDAuWtpceRiH/ldLkfL4F/s=; b=VpzfQ9b5mRv5n+z04v2SRlSF9wRUZGJnqqkOPuavvhbqR1ZNpW9m8ob2cLU60xI9Gw SYePlbuqBi6fGxCkoP2Hvjf1/VtkeT7sOKfLH+xjNJXaI3Q3afJIascljD26r2PsAQFT TRF2DwAWTclHrXbP4ItdFSyyfsJtFZCfCCDDMsX41D1V3t1sFnMGVtutEjWsQnVouJm5 J5nSk8ANJpEBAKMr+6nlIYpYMdI0RRr4LzNwqSqGKU4/kUV0eLfdfPP5S5rjhUOhcL3D /0lUIiOcj7F4NulylyoecDeuI1/oaDbWUuRPWjU2ZucGhU9jRDJZDZPVJKNW8NZUt7wo cTJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si1306848pfh.92.2018.04.11.12.26.41; Wed, 11 Apr 2018 12:27:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757027AbeDKTYH (ORCPT + 99 others); Wed, 11 Apr 2018 15:24:07 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:39064 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934735AbeDKTDp (ORCPT ); Wed, 11 Apr 2018 15:03:45 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D2AADE58; Wed, 11 Apr 2018 19:03:44 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Netanel Belgazal , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 242/310] net: ena: fix race condition between submit and completion admin command Date: Wed, 11 Apr 2018 20:36:21 +0200 Message-Id: <20180411183632.888271625@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183622.305902791@linuxfoundation.org> References: <20180411183622.305902791@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Netanel Belgazal [ Upstream commit 661d2b0ccef6a63f48b61105cf7be17403d1db01 ] Bug: "Completion context is occupied" error printout will be noticed in dmesg. This error will cause the admin command to fail, which will lead to an ena_probe() failure or a watchdog reset (depends on which admin command failed). Root cause: __ena_com_submit_admin_cmd() is the function that submits new entries to the admin queue. The function have a check that makes sure the queue is not full and the function does not override any outstanding command. It uses head and tail indexes for this check. The head is increased by ena_com_handle_admin_completion() which runs from interrupt context, and the tail index is increased by the submit function (the function is running under ->q_lock, so there is no risk of multithread increment). Each command is associated with a completion context. This context allocated before call to __ena_com_submit_admin_cmd() and freed by ena_com_wait_and_process_admin_cq_interrupts(), right after the command was completed. This can lead to a state where the head was increased, the check passed, but the completion context is still in use. Solution: Use the atomic variable ->outstanding_cmds instead of using the head and the tail indexes. This variable is safe for use since it is bumped in get_comp_ctx() in __ena_com_submit_admin_cmd() and is freed by comp_ctxt_release() Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/drivers/net/ethernet/amazon/ena/ena_com.c +++ b/drivers/net/ethernet/amazon/ena/ena_com.c @@ -232,11 +232,9 @@ static struct ena_comp_ctx *__ena_com_su tail_masked = admin_queue->sq.tail & queue_size_mask; /* In case of queue FULL */ - cnt = admin_queue->sq.tail - admin_queue->sq.head; + cnt = atomic_read(&admin_queue->outstanding_cmds); if (cnt >= admin_queue->q_depth) { - pr_debug("admin queue is FULL (tail %d head %d depth: %d)\n", - admin_queue->sq.tail, admin_queue->sq.head, - admin_queue->q_depth); + pr_debug("admin queue is full.\n"); admin_queue->stats.out_of_space++; return ERR_PTR(-ENOSPC); }