Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp183712rwr; Thu, 4 May 2023 01:02:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5DX9P9gAbzgaeRh6f0qSJ9A0AEePQHiS4SASxVpaLHmnjdbKrjLeVPw174YlrgazSDa8bQ X-Received: by 2002:a17:902:e751:b0:1a9:a408:a52f with SMTP id p17-20020a170902e75100b001a9a408a52fmr3363527plf.24.1683187374377; Thu, 04 May 2023 01:02:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683187374; cv=none; d=google.com; s=arc-20160816; b=nMxU/sOTIL8dP7K1sQWvyCRt08J/NAh2a3v04Vt2SgKsaqoaksAZOrhowFzozTeq0a zCuXI60vO+AqYLFpYDivPs2h6nHp8CPAzgai/QfbaVG/l0p/Yc4xC/rKEjowl36kzFc3 vsW+vn4LMVnnw2DyfIbVZSi8Zyv9ggtqrMnNl7ZzidyIjBu45u6q/1e7ZdYod/9jYfa+ DDd7ezfvXpzlBkv2FTXgEoq0ZFhms6wzv2+6EzNKYwy29119keOk2UMFeVwclmOpPy2v XFTbF7nwZ+659gotedsxm3YnsIvH7vInNMkexySZONhxhIAnnodr7loZJmQu15FLFekx VhJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=aJCtlY7+FW66yH/t8/AE4FoIrmltn6+ebo6rLaiqNTE=; b=vPEarOkHziPM0zXweWoyD6HJefJO/wf1hC1lZCATs4ViLToXhMw48U6Qdo1reicr8S Oki4rU1jwlSjmrWnFhi9VUe6Dkw2+fld1AW5h1HUYKsPLtiD0LF8AisFgzW/z1ouf3MT ZDs/FIm2KaMpPygkiHzp2bJs92Yrm77KMCUSTPPhwuUks78i/4JMK9MEbvzZgfXGgOBy WZ+CRlvD1rH8E/+orZa25QTQoqY8XJuSbmhdP1dyjbK3WoTXHEb+KkSQT07+uY0l5MqN 1pgQFlCvOl1o6Bu8iIfxVNPIbddzPal6afPnIYV7gnAry+UtpvnJgvH+/x1Q5/4qVbYv 0sTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VMHxVyXZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z13-20020a63d00d000000b0051f0e959dc6si34501640pgf.483.2023.05.04.01.02.20; Thu, 04 May 2023 01:02:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VMHxVyXZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229721AbjEDH5S (ORCPT + 99 others); Thu, 4 May 2023 03:57:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229522AbjEDH5Q (ORCPT ); Thu, 4 May 2023 03:57:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BE322728; Thu, 4 May 2023 00:57:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CCC4A631D6; Thu, 4 May 2023 07:57:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6FED7C433EF; Thu, 4 May 2023 07:57:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1683187034; bh=BD+fImah7ymy/XPLoxovcxIHeqcAUrR7ThJMZGqhmUY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VMHxVyXZq7ct+QcEYLotgmRTbNBd5yimQJFWEju0LmqS+/NJuq7PfQIXnuCnqiGTp 5sY39fh68shTCdPyuY90UGqnoBypLT/0OCdQsyv51DE4GdjfPD6LSDFTfcI5yDb5BM OVj6y8h2zCcYPXNjHQCMd8dEZlkVBQmeOr8lYAXW0B5iZLrmPVWgjsps1DepNFoFcr atcpa0nlFVIKoiiQEm06sVCvwO6xncK28bFXPWJVsEKJYkRxnyYHpN5AsxYzuKU6jb wrq9VM7Ule78SRjOnSNJGraAXSjbkfTTgOveVa1Pz4vW+J/jtUb5BAGHvPImEE0Vjd hAyiW2J4mZBpA== Date: Thu, 4 May 2023 10:57:09 +0300 From: Leon Romanovsky To: "Chittim, Madhu" Cc: Ding Hui , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, intel-wired-lan@lists.osuosl.org, jesse.brandeburg@intel.com, anthony.l.nguyen@intel.com, keescook@chromium.org, grzegorzx.szczurek@intel.com, mateusz.palczewski@intel.com, mitch.a.williams@intel.com, gregory.v.rose@intel.com, jeffrey.t.kirsher@intel.com, michal.kubiak@intel.com, simon.horman@corigine.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn Subject: Re: [PATCH net v4 2/2] iavf: Fix out-of-bounds when setting channels on remove Message-ID: <20230504075709.GS525452@unreal> References: <20230503031541.27855-1-dinghui@sangfor.com.cn> <20230503031541.27855-3-dinghui@sangfor.com.cn> <20230503082458.GH525452@unreal> <20230503162932.GN525452@unreal> <941ad3cc-22d6-3459-dfbc-36bc47a8a22a@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <941ad3cc-22d6-3459-dfbc-36bc47a8a22a@intel.com> X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 03, 2023 at 12:22:00PM -0700, Chittim, Madhu wrote: > > > On 5/3/2023 9:29 AM, Leon Romanovsky wrote: > > On Wed, May 03, 2023 at 10:00:49PM +0800, Ding Hui wrote: > > > On 2023/5/3 4:24 下午, Leon Romanovsky wrote: > > > > On Wed, May 03, 2023 at 11:15:41AM +0800, Ding Hui wrote: > > > > > > > > > > > > > If we detected removing is in processing, we can avoid unnecessary > > > > > waiting and return error faster. > > > > > > > > > > On the other hand in timeout handling, we should keep the original > > > > > num_active_queues and reset num_req_queues to 0. > > > > > > > > > > Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") > > > > > Signed-off-by: Ding Hui > > > > > Cc: Donglin Peng > > > > > Cc: Huang Cun > > > > > Reviewed-by: Simon Horman > > > > > Reviewed-by: Michal Kubiak > > > > > --- > > > > > v3 to v4: > > > > > - nothing changed > > > > > > > > > > v2 to v3: > > > > > - fix review tag > > > > > > > > > > v1 to v2: > > > > > - add reproduction script > > > > > > > > > > --- > > > > > drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 4 +++- > > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c > > > > > index 6f171d1d85b7..d8a3c0cfedd0 100644 > > > > > --- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c > > > > > +++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c > > > > > @@ -1857,13 +1857,15 @@ static int iavf_set_channels(struct net_device *netdev, > > > > > /* wait for the reset is done */ > > > > > for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { > > > > > msleep(IAVF_RESET_WAIT_MS); > > > > > + if (test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) > > > > > + return -EOPNOTSUPP; > > > > > > > > This makes no sense without locking as change to __IAVF_IN_REMOVE_TASK > > > > can happen any time. > > > > > > > > > > The state doesn't need to be that precise here, it is optimized only for > > > the fast path. During the lifecycle of the adapter, the __IAVF_IN_REMOVE_TASK > > > state will only be set and not cleared. > > > > > > If we didn't detect the "removing" state, we also can fallback to timeout > > > handling. > > > > > > So I don't think the locking is necessary here, what do the maintainers > > > at Intel think? > > > > I'm not Intel maintainer, but your change, explanation and the following > > line from your commit message aren't really aligned. > > > > [ 3510.400799] ================================================================== > > [ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] > > > > > > __IAVF_IN_REMOVE_TASK is being set only in iavf_remove() and the above > change is ok in terms of coming out of setting channels early enough while > remove is in progress. It is not, __IAVF_IN_REMOVE_TASK, set bit can be changed any time during iavf_set_channels() and if it is not, I would expect test_bit(..) placed at the beginning of iavf_set_channels() or even earlier. Thanks