Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp268611img; Mon, 18 Mar 2019 02:42:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqydL6tkEKL4qxGhY/sIELkn0T9ass91dWY6b+4+xYHWdC187aeEKz0oxvTt1Cia2G+crCd8 X-Received: by 2002:a17:902:e3:: with SMTP id a90mr18455147pla.45.1552902138980; Mon, 18 Mar 2019 02:42:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552902138; cv=none; d=google.com; s=arc-20160816; b=eZmRwc9a3WBvL50pN4Q6074rEY21Ue9SQZs8I6iSSx8NUjt7YR1MXw/mW8l86ofNNk YRjSOb6plGOU0CSUdvLSr3d/uJIDqcGNZYfWHUZwwyMX1y0xWHQM/u+L6BX2ULxwFkzB JfT8QhTckgN5P9viHOXUg+H6y3KGA/eL8RlMsWEul1OBXSCB+oIdr9QKGdwqUA0muRAW sX9FZV9POw2pdBnma4WenW5/uUG38BoUSnnALsifnFKZ4uXOHXl6slAvvO8nSvPS+87y yyFa6WQyXUcTqVjyaECd9/ySH+i9HFXR7fJyLHrzvlMoKsjBEaaw/PgSfBc/FCK+6OjX EraQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=z8qDaAWG3W2/YUQW4ohU5yVbGiUxWCPzANttBsFTqT4=; b=vNyg18AKekD52X5z5GAM0yhqoor/xEcZSNN/sM9Corx/beU7p/SModK/NI9oUXJQ66 xybQMwaFtEUrFc9dy/PjM1ZhuRoCjnY3O+KHAJ9iE2Fo0uc8DFHVARJ0hS7Z5xNqvvTz YuzXifrbwIg5f6RKTMohelnhzvzCQSv8A3r66UNtoi6iReaYMnaouhsYtA3JEjEau5rG jtKq8w7YJv6uYWSsnNWqOlTWi1glixIY98G5FDwkfyzcUGmf0zwkWGmEjnTsm5Ems7TN y+1R5/G1bjBScvTHFp5JIB8wC+YRKtGXFPxi6pDkeqGRh1ehnCESUAzYjhkZcBb0i42K hUxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zzdp9+kU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h24si8376175pgv.67.2019.03.18.02.42.04; Mon, 18 Mar 2019 02:42:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zzdp9+kU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728806AbfCRJki (ORCPT + 99 others); Mon, 18 Mar 2019 05:40:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:43244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727217AbfCRJev (ORCPT ); Mon, 18 Mar 2019 05:34:51 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 579152075C; Mon, 18 Mar 2019 09:34:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552901689; bh=pHmIvXagGA08tc/MoOqTsSwyePGHHPCRiP/kglmbgVA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zzdp9+kUId1pEc18j9SZRC+O6CFuPvKT9z5h/KQimhOovUJ+TJYdrNoR0K3R6Kg0C JEJY0MLQ47CDe6G7MD8w5wQQTMiFv45hx9LY3LUwxQ0okdmmtN5CCQ5EMGHOATdar5 dvcKU6CG+e0ZqcDhLLx1A9u92v5vfJtWJbWkI9NA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jack Morgenstein , Tariq Toukan , "David S. Miller" Subject: [PATCH 4.14 19/34] net/mlx4_core: Fix reset flow when in command polling mode Date: Mon, 18 Mar 2019 10:25:43 +0100 Message-Id: <20190318084147.344341912@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190318084144.657740413@linuxfoundation.org> References: <20190318084144.657740413@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jack Morgenstein [ Upstream commit e15ce4b8d11227007577e6dc1364d288b8874fbe ] As part of unloading a device, the driver switches from FW command event mode to FW command polling mode. Part of switching over to polling mode is freeing the command context array memory (unfortunately, currently, without NULLing the command context array pointer). The reset flow calls "complete" to complete all outstanding fw commands (if we are in event mode). The check for event vs. polling mode here is to test if the command context array pointer is NULL. If the reset flow is activated after the switch to polling mode, it will attempt (incorrectly) to complete all the commands in the context array -- because the pointer was not NULLed when the driver switched over to polling mode. As a result, we have a use-after-free situation, which results in a kernel crash. For example: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] __wake_up_common+0x2e/0x90 PGD 0 Oops: 0000 [#1] SMP Modules linked in: netconsole nfsv3 nfs_acl nfs lockd grace ... CPU: 2 PID: 940 Comm: kworker/2:3 Kdump: loaded Not tainted 3.10.0-862.el7.x86_64 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006 04/28/2016 Workqueue: events hv_eject_device_work [pci_hyperv] task: ffff8d1734ca0fd0 ti: ffff8d17354bc000 task.ti: ffff8d17354bc000 RIP: 0010:[] [] __wake_up_common+0x2e/0x90 RSP: 0018:ffff8d17354bfa38 EFLAGS: 00010082 RAX: 0000000000000000 RBX: ffff8d17362d42c8 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8d17362d42c8 RBP: ffff8d17354bfa70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000298 R11: ffff8d173610e000 R12: ffff8d17362d42d0 R13: 0000000000000246 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8d1802680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000f16d8000 CR4: 00000000001406e0 Call Trace: [] complete+0x3c/0x50 [] mlx4_cmd_wake_completions+0x70/0x90 [mlx4_core] [] mlx4_enter_error_state+0xe1/0x380 [mlx4_core] [] mlx4_comm_cmd+0x29b/0x360 [mlx4_core] [] __mlx4_cmd+0x441/0x920 [mlx4_core] [] ? __slab_free+0x81/0x2f0 [] ? __radix_tree_lookup+0x84/0xf0 [] mlx4_free_mtt_range+0x5b/0xb0 [mlx4_core] [] mlx4_mtt_cleanup+0x17/0x20 [mlx4_core] [] mlx4_free_eq+0xa7/0x1c0 [mlx4_core] [] mlx4_cleanup_eq_table+0xde/0x130 [mlx4_core] [] mlx4_unload_one+0x118/0x300 [mlx4_core] [] mlx4_remove_one+0x91/0x1f0 [mlx4_core] The fix is to set the command context array pointer to NULL after freeing the array. Fixes: f5aef5aa3506 ("net/mlx4_core: Activate reset flow upon fatal command cases") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx4/cmd.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/ethernet/mellanox/mlx4/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c @@ -2686,6 +2686,7 @@ void mlx4_cmd_use_polling(struct mlx4_de down(&priv->cmd.event_sem); kfree(priv->cmd.context); + priv->cmd.context = NULL; up(&priv->cmd.poll_sem); up_write(&priv->cmd.switch_sem);