Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3934170imm; Mon, 11 Jun 2018 04:22:57 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJQhvCvWH93wzZcky4DDDiZ2wc3PgPHlO0qRm9Loxx1cNNC3sxrDctUMJ6lkL8Uvsy4Hfp7 X-Received: by 2002:a17:902:7089:: with SMTP id z9-v6mr17863988plk.231.1528716177018; Mon, 11 Jun 2018 04:22:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528716176; cv=none; d=google.com; s=arc-20160816; b=HnYgh4iH3QbCQBUobf0ga0sgfN8/lwo6N+IzcKgTTJu6QdFAbQFY2U3h/oYmqBK7rF 9TI+QBq0Jm0TAVG7EhAbstUV7mf3OxlqZP8lKyqYuOMz4I2RiwTNJV9FkjLPdTud+aPf ShzCFowsDYzJPHqWa5EgwVRy6swiecZ0MZkGj0M3H/tZazcmu/qQnpcmC6RaVyDFn1KE HwOOyk5c+nTGUQod2NewBLZCJ1n6jvVi7ypcGloLrg7jRnAVIJSDHrNdUBKzza2ddyLU 1IJKhlkMqVpSKwXqyQNbAjVKjkuGQG7UeFIfuUDyAm5SNsMWy1uoHYQM3nL5rRXz4utj aUZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=iVS5AqBe4e7OQWQ63lj8MGgJTi5RhenKsqUbOswnDS0=; b=PzuZcKxxtrP9Q5kuDNGqO0MP/XF52T5PueC1pAGXksNJR4i07yGnCUml8bY9ThlnfL vXlesKTcS3oVyO7qIlYNYzbOkH8WJFe4MOhv0VqYndHsLippuDezN3lmX47tiwDNQk2d KjUGIbD1zysJBCYn7yZ3FxSEcLS2XEg/wYQCoTz8JrdIBhsBaqzu+o0gQTHf33DfWkmQ 4qkJ28kUoy3ua1TBZxMGdB6ZPFsrjvLzHrnIufRRPItlrR8B4ZcpswtWF4VZWE43/3FR 2SpLyUhl1pOHpcLjAh7XEPEFFc5R6mUzX9VHciSO6M/KcQg/zirfr/T6FaB+Kk/xW04j Xf2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 92-v6si61028996plw.299.2018.06.11.04.22.41; Mon, 11 Jun 2018 04:22:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932841AbeFKLWQ (ORCPT + 99 others); Mon, 11 Jun 2018 07:22:16 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55822 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932676AbeFKLWP (ORCPT ); Mon, 11 Jun 2018 07:22:15 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3CE5A30C10F4; Mon, 11 Jun 2018 11:22:15 +0000 (UTC) Received: from [10.3.116.105] (ovpn-116-105.phx2.redhat.com [10.3.116.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6BD7759740; Mon, 11 Jun 2018 11:22:14 +0000 (UTC) Subject: Re: [PATCH] net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode To: David Miller , Vadim.Lomovtsev@caviumnetworks.com Cc: rric@kernel.org, sgoutham@cavium.com, linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Vadim.Lomovtsev@cavium.com References: <20180608092759.28059-1-Vadim.Lomovtsev@caviumnetworks.com> <20180610.123551.885190586229525170.davem@davemloft.net> From: Dean Nelson Message-ID: <036618ae-887f-44b5-2b39-451b81191cc1@redhat.com> Date: Mon, 11 Jun 2018 06:22:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180610.123551.885190586229525170.davem@davemloft.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Mon, 11 Jun 2018 11:22:15 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/10/2018 02:35 PM, David Miller wrote: > From: Vadim Lomovtsev > Date: Fri, 8 Jun 2018 02:27:59 -0700 > >> + /* Save message data locally to prevent them from >> + * being overwritten by next ndo_set_rx_mode call(). >> + */ >> + spin_lock(&nic->rx_mode_wq_lock); >> + mode = vf_work->mode; >> + mc = vf_work->mc; >> + vf_work->mc = NULL; If I'm reading this code correctly, I believe nic->rx_mode_work.mc will have been set to NULL before the lock is dropped by nicvf_set_rx_mode_task() and acquired by nicvf_set_rx_mode(). >> + spin_unlock(&nic->rx_mode_wq_lock); > > At the moment you drop this lock, the memory behind 'mc' can be > freed up by: > >> + spin_lock(&nic->rx_mode_wq_lock); >> + kfree(nic->rx_mode_work.mc); So the kfree() will be called with a NULL pointer and quickly return. > > And you'll crash when you dereference it above via > __nicvf_set_rx_mode_task(). > I believe the call to kfree() in nicvf_set_rx_mode() is there to free up a mc_list that has been allocated by nicvf_set_rx_mode() during a previous callback to the function, one that has not yet been processed by nicvf_set_rx_mode_task(). In this way only the last 'unprocessed' callback to nicvf_set_rx_mode() gets processed should there be multiple callbacks occurring between the times the nicvf_set_rx_mode_task() runs. In my testing with this patch, this is what I see happening.