Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5892776imm; Tue, 12 Jun 2018 15:27:18 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIxDOcLH7F5q08x7lmdkJy/M0KcYhiABbafw+Xo0qfcGnv0jtX4sxAWsvB2dP7eJnjDwzqm X-Received: by 2002:a65:6190:: with SMTP id c16-v6mr1774729pgv.405.1528842438308; Tue, 12 Jun 2018 15:27:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528842438; cv=none; d=google.com; s=arc-20160816; b=crr2Oqn/xLplA+SEjIqsBcMwlQSNdgTdadT6Ndz6dDVhQa/M7dUytRzPjShpvsQKR7 MgfjcM0XKWhzMGaz5JT8KQn8YcB2kfwwEqut3s51XBTVqWzPy4AyPJWN49JjEw7dBlNW 6c74sy/tiNSYuGzwhwRbx3+D0qS0WK0mqNFm/rG9m2O/a2IHOruIqXkkLH/3+psAyonD oZuiVArRyY1S1NxHqxAwFagissBPNyjAImGD/kheLFkpIN+yB8i2d0/X2GHNDNn89bkE IvQBusM5+x7OUzaNPOFXYtyanqK5bnLDBycKIhlgmU9txTLWrxOAh1UzqMRHQXbluCY6 tgaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=q1BfJJ1vWbKYgGav82ePxsIPgfnRH6nvTIDvlYw0HlQ=; b=TlHiduk04qBtTIChAQSq0Cr74cfBD36FWBUlzs7IaxDD9pBubROe2QhdidS/VUQ+ug Pi+nIh1c49OZWrq91CbcvitY8aZf6Id2xDgwQ53J6Ou/J88vJhe13sy4qgSa+/CEZ9ec 2eUlc51j2tuZR7EOIULqUKhM6ONxdX5pK+KzbYMnwyHMeNUwZUVKKGhV3NSdjDrkBznZ m09hp115xv7xf1HpXPcN5oOJjR9pGVFwsIKVbEM9G+kj7OaUx4ZxWtX2WYCgRSj7Duwx lpNx6vbX/BJXPJOqviZPVNYtzhdstpAqhLIaMPIMRP0x1aa+BicZv53Wwj5HIDBAdGoC vdGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 85-v6si1072883pfm.264.2018.06.12.15.27.03; Tue, 12 Jun 2018 15:27:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934944AbeFLWZm (ORCPT + 99 others); Tue, 12 Jun 2018 18:25:42 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:42774 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934418AbeFLWZl (ORCPT ); Tue, 12 Jun 2018 18:25:41 -0400 Received: from localhost (74-93-104-98-Washington.hfc.comcastbusiness.net [74.93.104.98]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id BBE2C100AB41B; Tue, 12 Jun 2018 15:25:40 -0700 (PDT) Date: Tue, 12 Jun 2018 15:25:40 -0700 (PDT) Message-Id: <20180612.152540.1304714747425091865.davem@davemloft.net> To: dnelson@redhat.com Cc: Vadim.Lomovtsev@caviumnetworks.com, rric@kernel.org, sgoutham@cavium.com, linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Vadim.Lomovtsev@cavium.com Subject: Re: [PATCH] net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode From: David Miller In-Reply-To: <036618ae-887f-44b5-2b39-451b81191cc1@redhat.com> References: <20180608092759.28059-1-Vadim.Lomovtsev@caviumnetworks.com> <20180610.123551.885190586229525170.davem@davemloft.net> <036618ae-887f-44b5-2b39-451b81191cc1@redhat.com> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 12 Jun 2018 15:25:41 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dean Nelson Date: Mon, 11 Jun 2018 06:22:14 -0500 > On 06/10/2018 02:35 PM, David Miller wrote: >> From: Vadim Lomovtsev >> Date: Fri, 8 Jun 2018 02:27:59 -0700 >> >>> + /* Save message data locally to prevent them from >>> + * being overwritten by next ndo_set_rx_mode call(). >>> + */ >>> + spin_lock(&nic->rx_mode_wq_lock); >>> + mode = vf_work->mode; >>> + mc = vf_work->mc; >>> + vf_work->mc = NULL; > > If I'm reading this code correctly, I believe nic->rx_mode_work.mc > will > have been set to NULL before the lock is dropped by > nicvf_set_rx_mode_task() and acquired by nicvf_set_rx_mode(). > > >>> + spin_unlock(&nic->rx_mode_wq_lock); >> At the moment you drop this lock, the memory behind 'mc' can be >> freed up by: >> >>> + spin_lock(&nic->rx_mode_wq_lock); >>> + kfree(nic->rx_mode_work.mc); > > So the kfree() will be called with a NULL pointer and quickly return. > > >> And you'll crash when you dereference it above via >> __nicvf_set_rx_mode_task(). >> > > I believe the call to kfree() in nicvf_set_rx_mode() is there to free > up a mc_list that has been allocated by nicvf_set_rx_mode() during a > previous callback to the function, one that has not yet been processed > by nicvf_set_rx_mode_task(). > > In this way only the last 'unprocessed' callback to > nicvf_set_rx_mode() > gets processed should there be multiple callbacks occurring between > the > times the nicvf_set_rx_mode_task() runs. > > In my testing with this patch, this is what I see happening. You're right, my bad. Patch applied.