Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp8418084ybl; Thu, 16 Jan 2020 16:29:34 -0800 (PST) X-Google-Smtp-Source: APXvYqzuH+XyDNubdb7eHY5XOXGWJ2FdGGIkR7UyiovczS149zxuVDCmMS5e20omulrhma99pXlO X-Received: by 2002:aca:d787:: with SMTP id o129mr1500256oig.75.1579220974602; Thu, 16 Jan 2020 16:29:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579220974; cv=none; d=google.com; s=arc-20160816; b=omS5QHlJ9yJtZ1Gnb4tW+EYP35kllKBcyRaDO1bqyfsrq8Ey1rDI3XCsMCimRC6KBa dCDTLbdukglLmBrjU2hGiSr6aAohis/UX7lEAL1pQ5xjy3ZRj/11mZzCmHRn8rkccVzO TnNsYyCaHKq9xgw2ADrBCDYrCvXL2baZe+zNjbIAinIRD+wV9++EfbJzApILX0A2WLfB UCUnQkmj+SwCL6e4a2fM0zmHXGr6DJ06oVqoVg9apRb8nYyUeuBFdN0k3Cf0dDndLK3q U8oaKL5Ng79dVOzsXho24XEqSRp6mMS40BcNclXMRY4dwyWRC/eguh7HmnXXqC/ONbkw /0SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=N4o+JQ3CiBLXlSXNes2Qaa2khDQRqueSfxlNboGe5+s=; b=bZdfCICimR0UKo6bAMsfB0alCSRZCOUmT6Ey/wGQG3h/w/UtZKeqA9NR03SVbQIbWX 7RsHXkrz4VaCamGdNikQHsdWA2Bqrl6AbEYvZop9pJv6gUZhFqyokdZgokTMr/nPHStB 2LkqmNqkA7CqtjZilhOHDHzK3WUqoDqAeJ986CD/yKWThNnoXjghkKBtz8Dh19jR0z/j b2/4g/v1lLzRHi/48RiisY1IHggNzx+Ejkvggcxe60rRtWZ1kKRvYHjV1y0kkz64icGP 7fBF8S2wR84yR8vYfHjwkOze0rGdvE3nfCBytaE8rtbqWVMXwgBNXeYc/P0tgadR/iSv 98ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O6UNCH0i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i9si14627523otp.139.2020.01.16.16.29.22; Thu, 16 Jan 2020 16:29:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O6UNCH0i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390765AbgAPXVF (ORCPT + 99 others); Thu, 16 Jan 2020 18:21:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:47964 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390752AbgAPXVB (ORCPT ); Thu, 16 Jan 2020 18:21:01 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E9C4D2077C; Thu, 16 Jan 2020 23:20:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579216860; bh=hBl88ClmNQ5MuN49kdNckYKs40bu//qCToIj1UiJmX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O6UNCH0i1eZeCGBVL9xZC83gdiLZl4/979mKJMgfZh8/3ulu52bIm9KKQtaFxL/X/ xcAiOsN3iPPxp6mh8B2enn4MA/H7eJ3g5leOJxBGyKbSDwVAjDMVN575KkHYUizClj F8b9TP5Zici+/ACdOw/E8LsJnPzQFLSqb8d+Uuss= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Wiedmann , "David S. Miller" Subject: [PATCH 5.4 033/203] s390/qeth: fix qdio teardown after early init error Date: Fri, 17 Jan 2020 00:15:50 +0100 Message-Id: <20200116231747.112519253@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200116231745.218684830@linuxfoundation.org> References: <20200116231745.218684830@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julian Wiedmann commit 8b5026bc16938920e4780b9094c3bf20e1e0939d upstream. qeth_l?_set_online() goes through a number of initialization steps, and on any error uses qeth_l?_stop_card() to tear down the residual state. The first initialization step is qeth_core_hardsetup_card(). When this fails after having established a QDIO context on the device (ie. somewhere after qeth_mpc_initialize()), qeth_l?_stop_card() doesn't shut down this QDIO context again (since the card state hasn't progressed from DOWN at this stage). Even worse, we then call qdio_free() as final teardown step to free the QDIO data structures - while some of them are still hooked into wider QDIO infrastructure such as the IRQ list. This is inevitably followed by use-after-frees and other nastyness. Fix this by unconditionally calling qeth_qdio_clear_card() to shut down the QDIO context, and also to halt/clear any pending activity on the various IO channels. Remove the naive attempt at handling the teardown in qeth_mpc_initialize(), it clearly doesn't suffice and we're handling it properly now in the wider teardown code. Fixes: 4a71df50047f ("qeth: new qeth device driver") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_main.c | 20 ++++++++------------ drivers/s390/net/qeth_l2_main.c | 2 +- drivers/s390/net/qeth_l3_main.c | 2 +- 3 files changed, 10 insertions(+), 14 deletions(-) --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -2451,50 +2451,46 @@ static int qeth_mpc_initialize(struct qe rc = qeth_cm_enable(card); if (rc) { QETH_CARD_TEXT_(card, 2, "2err%d", rc); - goto out_qdio; + return rc; } rc = qeth_cm_setup(card); if (rc) { QETH_CARD_TEXT_(card, 2, "3err%d", rc); - goto out_qdio; + return rc; } rc = qeth_ulp_enable(card); if (rc) { QETH_CARD_TEXT_(card, 2, "4err%d", rc); - goto out_qdio; + return rc; } rc = qeth_ulp_setup(card); if (rc) { QETH_CARD_TEXT_(card, 2, "5err%d", rc); - goto out_qdio; + return rc; } rc = qeth_alloc_qdio_queues(card); if (rc) { QETH_CARD_TEXT_(card, 2, "5err%d", rc); - goto out_qdio; + return rc; } rc = qeth_qdio_establish(card); if (rc) { QETH_CARD_TEXT_(card, 2, "6err%d", rc); qeth_free_qdio_queues(card); - goto out_qdio; + return rc; } rc = qeth_qdio_activate(card); if (rc) { QETH_CARD_TEXT_(card, 2, "7err%d", rc); - goto out_qdio; + return rc; } rc = qeth_dm_act(card); if (rc) { QETH_CARD_TEXT_(card, 2, "8err%d", rc); - goto out_qdio; + return rc; } return 0; -out_qdio: - qeth_qdio_clear_card(card, !IS_IQD(card)); - qdio_free(CARD_DDEV(card)); - return rc; } void qeth_print_status_message(struct qeth_card *card) --- a/drivers/s390/net/qeth_l2_main.c +++ b/drivers/s390/net/qeth_l2_main.c @@ -287,12 +287,12 @@ static void qeth_l2_stop_card(struct qet card->state = CARD_STATE_HARDSETUP; } if (card->state == CARD_STATE_HARDSETUP) { - qeth_qdio_clear_card(card, 0); qeth_drain_output_queues(card); qeth_clear_working_pool_list(card); card->state = CARD_STATE_DOWN; } + qeth_qdio_clear_card(card, 0); flush_workqueue(card->event_wq); card->info.mac_bits &= ~QETH_LAYER2_MAC_REGISTERED; card->info.promisc_mode = 0; --- a/drivers/s390/net/qeth_l3_main.c +++ b/drivers/s390/net/qeth_l3_main.c @@ -1426,12 +1426,12 @@ static void qeth_l3_stop_card(struct qet card->state = CARD_STATE_HARDSETUP; } if (card->state == CARD_STATE_HARDSETUP) { - qeth_qdio_clear_card(card, 0); qeth_drain_output_queues(card); qeth_clear_working_pool_list(card); card->state = CARD_STATE_DOWN; } + qeth_qdio_clear_card(card, 0); flush_workqueue(card->event_wq); card->info.promisc_mode = 0; }