Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2496637imm;
        Mon, 24 Sep 2018 05:28:47 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61HGTlzPChl99zfvGSPfSE867Y/kC3T46wBnTC+StA+LwOSZI4nbHb2wxOonEzlb3Q3kgyf
X-Received: by 2002:a17:902:b03:: with SMTP id 3-v6mr10751157plq.156.1537792127112;
        Mon, 24 Sep 2018 05:28:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537792127; cv=none;
        d=google.com; s=arc-20160816;
        b=cK1d9MP2A5xIle23SHH6BTBNcMKUHvDYLKVcrYlSDkZrg4XYLKiJwHCb7j6KxGglZz
         +2vi0Ltu4SK2mP9wvrgeF/38pJISVaU9G99U9qqku0QbpSCMJcf0HcD5fu5qfqOabrD8
         PvUiNUvr4S5ZsG9Ae+KZX/7gWG6h8K3xzjCLyNgK/3/gaNEceZlzvHG8NgGDWc997AWj
         Odxs/Mw2rxCWkDBm4zERnSnjWKVIpBIPdKqGRFE+IWmnaWJOctHHmDGA32w/PXC19Ld8
         QPmDExZi7q9vw0jxjrhFW7kcIZnO4GyT2MYfi/DJkHQ2RBLQ48AnKSKrV2/ElxYHFW1Y
         2KeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=JyaW1U4E8topNZbagvdQawg6LSswXi5ontJiyLqLgTI=;
        b=do56dy317cPTeKj5DKBee1Tf/boesMJuAHdrPbUxkkbvXT+mUYlY9auG02Vcqha5bs
         lgegzzyW9SBaVy0pDtbgjXMPV9Yh1X+j65QbzcZulZlmeP5jWGS7fdQ7xZqsaMC9rEWZ
         otYT5t9LRgMqVZgKAmd2HlxiZZHqtigSeZx0sNG/vsei4IjDuJTOsbs25AIXy/CHhzFt
         rAGZpuodTXQM4BaJLv8DOJxJHs7qKac98KPuZjxCWLbzO2LOBHO8yR2stIQqHldnnF78
         wX6blekXLrt1yFUlcQ/bZJcF73yVtIayeDuPo0xsq76TdSdSqOOT1fLzqzxLuzDKZL6L
         RBDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m2-v6si37033907pfi.351.2018.09.24.05.28.31;
        Mon, 24 Sep 2018 05:28:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387401AbeIXS3d (ORCPT <rfc822;carmate383@gmail.com>
        + 99 others); Mon, 24 Sep 2018 14:29:33 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:57320 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730233AbeIXS3c (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Sep 2018 14:29:32 -0400
Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 096711018;
        Mon, 24 Sep 2018 12:27:37 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Jack Morgenstein <jackm@dev.mellanox.co.il>,
        Feras Daoud <ferasda@mellanox.com>,
        Saeed Mahameed <saeedm@mellanox.com>
Subject: [PATCH 4.18 002/235] net/mlx5: Fix use-after-free in self-healing flow
Date:   Mon, 24 Sep 2018 13:49:48 +0200
Message-Id: <20180924113104.288158003@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180924113103.999624566@linuxfoundation.org>
References: <20180924113103.999624566@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

[ Upstream commit 76d5581c870454be5f1f1a106c57985902e7ea20 ]

When the mlx5 health mechanism detects a problem while the driver
is in the middle of init_one or remove_one, the driver needs to prevent
the health mechanism from scheduling future work; if future work
is scheduled, there is a problem with use-after-free: the system WQ
tries to run the work item (which has been freed) at the scheduled
future time.

Prevent this by disabling work item scheduling in the health mechanism
when the driver is in the middle of init_one() or remove_one().

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Reviewed-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/health.c |   10 +++++++++-
 drivers/net/ethernet/mellanox/mlx5/core/main.c   |    6 +++---
 include/linux/mlx5/driver.h                      |    2 +-
 3 files changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
@@ -331,9 +331,17 @@ void mlx5_start_health_poll(struct mlx5_
 	add_timer(&health->timer);
 }
 
-void mlx5_stop_health_poll(struct mlx5_core_dev *dev)
+void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health)
 {
 	struct mlx5_core_health *health = &dev->priv.health;
+	unsigned long flags;
+
+	if (disable_health) {
+		spin_lock_irqsave(&health->wq_lock, flags);
+		set_bit(MLX5_DROP_NEW_HEALTH_WORK, &health->flags);
+		set_bit(MLX5_DROP_NEW_RECOVERY_WORK, &health->flags);
+		spin_unlock_irqrestore(&health->wq_lock, flags);
+	}
 
 	del_timer_sync(&health->timer);
 }
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -1266,7 +1266,7 @@ err_cleanup_once:
 		mlx5_cleanup_once(dev);
 
 err_stop_poll:
-	mlx5_stop_health_poll(dev);
+	mlx5_stop_health_poll(dev, boot);
 	if (mlx5_cmd_teardown_hca(dev)) {
 		dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
 		goto out_err;
@@ -1325,7 +1325,7 @@ static int mlx5_unload_one(struct mlx5_c
 	mlx5_free_irq_vectors(dev);
 	if (cleanup)
 		mlx5_cleanup_once(dev);
-	mlx5_stop_health_poll(dev);
+	mlx5_stop_health_poll(dev, cleanup);
 	err = mlx5_cmd_teardown_hca(dev);
 	if (err) {
 		dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
@@ -1587,7 +1587,7 @@ static int mlx5_try_fast_unload(struct m
 	 * with the HCA, so the health polll is no longer needed.
 	 */
 	mlx5_drain_health_wq(dev);
-	mlx5_stop_health_poll(dev);
+	mlx5_stop_health_poll(dev, false);
 
 	ret = mlx5_cmd_force_teardown_hca(dev);
 	if (ret) {
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -1042,7 +1042,7 @@ int mlx5_cmd_free_uar(struct mlx5_core_d
 void mlx5_health_cleanup(struct mlx5_core_dev *dev);
 int mlx5_health_init(struct mlx5_core_dev *dev);
 void mlx5_start_health_poll(struct mlx5_core_dev *dev);
-void mlx5_stop_health_poll(struct mlx5_core_dev *dev);
+void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health);
 void mlx5_drain_health_wq(struct mlx5_core_dev *dev);
 void mlx5_trigger_health_work(struct mlx5_core_dev *dev);
 void mlx5_drain_health_recovery(struct mlx5_core_dev *dev);