Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4751743pxj;
        Wed, 12 May 2021 12:24:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwC2xoVS47sZxjh6t5eHVw/k+USroZgIAe0GWcMXxx3n+Z5xIlc8Ct9CWqc7gJ/nBWhnH0T
X-Received: by 2002:a05:6402:17d7:: with SMTP id s23mr45315918edy.66.1620847459165;
        Wed, 12 May 2021 12:24:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620847459; cv=none;
        d=google.com; s=arc-20160816;
        b=ZPbot0N1csolkH8Vp1Ga9jHmGMDOBXBYLYxSO/3wXmAr4MDXKVLOsRcKdunsZ3SJDd
         ziEaajr87c1mCaI/xQ1V46tyN2L2tFIBPvlp+ILBEGOn1wQ92ZXKIjQ5kSJuPZNTxZ9+
         2dEg/MWgW0qxYEQ3t3z8F/ZIyTK66kj7qEx3TEWVgbZdaAUSHuBXMER1+bRHCiaXg1DL
         LYXPTlRpR98EDThiGcjcKoPDraGWN+8K1ka6pARDjEuM/MODgZ8iTZQpEJKMXaL1gZYv
         u51qcwoMiMQbpvpTAjhsQa34iOtF06fe7kbnXUgXZA4uxJa6jW/YV/kvTP+3I0cax55K
         aA0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9EwTghGRIaWD9a2uhE5LlYSklzcJIBwcToevf9M+238=;
        b=IxJYl82FnZQfce7fuzDQ3csp0ayjT32bOHkUI/dOQt36a6Qml4o96ADk3fgTpeS0sJ
         8CjDHH02D2f//xZGXuvhkRVKBKjmvanZXoz6NCF57E5yRe6IKjmmsvHJWcrBOf3kbCcl
         lssbiT9jTYyaEOtGbTGCs2oRAcsBZasQ+F66rg+I79Km3BR0X7NPJWE9CvsBtc3O2P8g
         UoZ8x+QLR3xCJbO6801TnXnYKz+wHsot4pUcPNsh0PjbkPYQ2/MDRKosEzvuimsvWjGx
         UhwXmEBNsuoV++1FYRkL3cfh+Kz6IaltSYV7MfK1XWf1cZuH/Jb7B9HeYU9z6vDDGFrj
         HvCg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mcMqzeci;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b9si481995edd.593.2021.05.12.12.23.55;
        Wed, 12 May 2021 12:24:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mcMqzeci;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1379767AbhELTUO (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 15:20:14 -0400
Received: from mail.kernel.org ([198.145.29.99]:50510 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S244750AbhELQvJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 12:51:09 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 651A761C8E;
        Wed, 12 May 2021 16:17:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620836270;
        bh=H5AQ8cN9OEnQABnJxA2AFifxf1R8QvmAtfY3S9Tgo10=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mcMqzeciH1lOb5p9mfbWDp6OrGBnsnU4SrAIS7P0eRn9+Qo4V4auP7/8lR+UMyIm1
         T7H25fnvYvyC1o0GzaxxffemjKbIXbD+OA2rk83fJZCZNqGLsdZ/4dh1TUX1qkaRqW
         OsmuEXnVE5rS6aA11zucTDhJo2zyfKfGj3W7UtQg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Pavan Chebbi <pavan.chebbi@broadcom.com>,
        Andy Gospodarek <gospo@broadcom.com>,
        Michael Chan <michael.chan@broadcom.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.12 644/677] bnxt_en: Fix RX consumer index logic in the error path.
Date:   Wed, 12 May 2021 16:51:30 +0200
Message-Id: <20210512144858.756635662@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210512144837.204217980@linuxfoundation.org>
References: <20210512144837.204217980@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Michael Chan <michael.chan@broadcom.com>

[ Upstream commit bbd6f0a948139970f4a615dff189d9a503681a39 ]

In bnxt_rx_pkt(), the RX buffers are expected to complete in order.
If the RX consumer index indicates an out of order buffer completion,
it means we are hitting a hardware bug and the driver will abort all
remaining RX packets and reset the RX ring.  The RX consumer index
that we pass to bnxt_discard_rx() is not correct.  We should be
passing the current index (tmp_raw_cons) instead of the old index
(raw_cons).  This bug can cause us to be at the wrong index when
trying to abort the next RX packet.  It can crash like this:

 #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
 #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
 #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
 #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
    [exception RIP: bnxt_rx_pkt+237]
    RIP: ffffffffc0259cdd  RSP: ffff9bbcdf5c3d98  RFLAGS: 00010213
    RAX: 000000005dd8097f  RBX: ffff9ba4cb11b7e0  RCX: ffffa923cf6e9000
    RDX: 0000000000000fff  RSI: 0000000000000627  RDI: 0000000000001000
    RBP: ffff9bbcdf5c3e60   R8: 0000000000420003   R9: 000000000000020d
    R10: ffffa923cf6ec138  R11: ffff9bbcdf5c3e83  R12: ffff9ba4d6f928c0
    R13: ffff9ba4cac28080  R14: ffff9ba4cb11b7f0  R15: ffff9ba4d5a30000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018

Fixes: a1b0e4e684e9 ("bnxt_en: Improve RX consumer index validity check.")
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index aeb8c61c0f87..73239d3eaca1 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1732,14 +1732,16 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
 
 	cons = rxcmp->rx_cmp_opaque;
 	if (unlikely(cons != rxr->rx_next_cons)) {
-		int rc1 = bnxt_discard_rx(bp, cpr, raw_cons, rxcmp);
+		int rc1 = bnxt_discard_rx(bp, cpr, &tmp_raw_cons, rxcmp);
 
 		/* 0xffff is forced error, don't print it */
 		if (rxr->rx_next_cons != 0xffff)
 			netdev_warn(bp->dev, "RX cons %x != expected cons %x\n",
 				    cons, rxr->rx_next_cons);
 		bnxt_sched_reset(bp, rxr);
-		return rc1;
+		if (rc1)
+			return rc1;
+		goto next_rx_no_prod_no_len;
 	}
 	rx_buf = &rxr->rx_buf_ring[cons];
 	data = rx_buf->data;
-- 
2.30.2