Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1459216rdb; Fri, 1 Dec 2023 18:28:28 -0800 (PST) X-Google-Smtp-Source: AGHT+IHKuvFLjCNYFKZaQq6FEF2LQ5FqoIZm4pXTdtEuchUCdFE6anUcBT2rYDQjcjN/HVlDuJpM X-Received: by 2002:a9d:6c83:0:b0:6d8:7487:bb23 with SMTP id c3-20020a9d6c83000000b006d87487bb23mr461940otr.30.1701484107781; Fri, 01 Dec 2023 18:28:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701484107; cv=none; d=google.com; s=arc-20160816; b=VpmrTE7Ad25LF53lxu1UYFiVcaxordOPkOPMLRLf+6VxeNNYA1L/ZzBdUMbFgibDd1 9Cair5gU5DyPzFiJtNck7SWCo0X14tMJY8rQ4s75phkMijCT1yFT+mrS27nmc66NaHqI 5DHnfEzTIrIxWRBz9d5KS6H8P4/UaqJv7DzHAo2DVOOBcljl+aNvLD08uDIa+o251ohV nTnhcthN4oCE/YZcIpjtKMbnB3ajcvNEMKoqr5pCBj+SDfQ7gmQrmBxKDuE4V3QpL1jO 8SgAARD2tLyqRTyU8C4NeAXWJD9Hp/LIK4JYv1LqNRyMypnKkT4R9ZuYDvoH1r5YHbKk fJoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=CftNeTbqEU9HZzdMiM/qLnUiit4BMQJp8RyV/Iiw/Eg=; fh=Ydesq7YORa+Rh749QnLBBtvBsM6G8XN5/5gtQxBwoWM=; b=z1G9hlFNgmuxVQi4VuWnnoUtwN6JAUOhizsZQRy8V9ktt6icDHdR5plghl3Bym3FMF CAm6TWAqrR8svyI4D1I53cmGNjSRfvT3PPJFTiAkXOeRFLAHP8CkXGApsHWKvzELxp0D zdGXnCONATubey2286wsudzDchE62OiP2AtP/B1WglcWHiNNs0UUJEzhsAPIZci3x5DB sXTFJ/Bamv+w2LiPzLqsOI8NKZOpFOb4PLQjjSPNVlACbSsowep8M/fcuOWuWBiF7Djy mX+0EkaKPmQ/kGlvzg53DYwpFCeLHvJ5J7LlG7LceXhsf+3Jp+7u1FnhXP84pVpnEsHT TM1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id fb37-20020a056a002da500b006bdaa24308fsi4239948pfb.105.2023.12.01.18.28.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 18:28:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 20B5082F5693; Fri, 1 Dec 2023 18:28:25 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229537AbjLBC1y (ORCPT + 99 others); Fri, 1 Dec 2023 21:27:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43980 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbjLBC1w (ORCPT ); Fri, 1 Dec 2023 21:27:52 -0500 X-Greylist: delayed 346 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 01 Dec 2023 18:27:56 PST Received: from mail-m12810.netease.com (mail-m12810.netease.com [103.209.128.10]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA638132; Fri, 1 Dec 2023 18:27:56 -0800 (PST) Received: from [0.0.0.0] (unknown [IPV6:240e:3b7:3271:7f20:4433:b746:c1de:367]) by mail-m12773.qiye.163.com (Hmail) with ESMTPA id ABC322C027E; Sat, 2 Dec 2023 10:21:37 +0800 (CST) Message-ID: Date: Sat, 2 Dec 2023 10:21:37 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH v3] net/mlx5e: Fix a race in command alloc flow Content-Language: en-US To: Shifeng Li , saeedm@nvidia.com, leon@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, eranbe@mellanox.com, moshe@mellanox.com Cc: netdev@vger.kernel.org, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, lishifeng1992@126.com, Moshe Shemesh References: <20231130030559.622165-1-lishifeng@sangfor.com.cn> From: Ding Hui In-Reply-To: <20231130030559.622165-1-lishifeng@sangfor.com.cn> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVlCS05LVh9DHU9DTk0fSUsaT1UTARMWGhIXJBQOD1 lXWRgSC1lBWUlPSx5BSBlMQUhJTEpBTB1JS0FPT0hIQRlMT01BGEofHkFITUxZV1kWGg8SFR0UWU FZT0tIVUpNT0lOSVVKS0tVSkJZBg++ X-HM-Tid: 0a8c2854d8aeb249kuuuabc322c027e X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6M1E6CCo*DDw4CgstLSwyMkNM SDIaFE1VSlVKTEtKT0NITUJDQk9KVTMWGhIXVR8SFRwTDhI7CBoVHB0UCVUYFBZVGBVFWVdZEgtZ QVlJT0seQUgZTEFISUxKQUwdSUtBT09ISEEZTE9NQRhKHx5BSE1MWVdZCAFZQUhDTkI3Bg++ X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 01 Dec 2023 18:28:25 -0800 (PST) On 2023/11/30 11:05, Shifeng Li wrote: > Fix a cmd->ent use after free due to a race on command entry. > Such race occurs when one of the commands releases its last refcount and > frees its index and entry while another process running command flush > flow takes refcount to this command entry. The process which handles > commands flush may see this command as needed to be flushed if the other > process allocated a ent->idx but didn't set ent to cmd->ent_arr in > cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into > the spin lock. > > [70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] > [70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361 > [70013.081968] > [70013.082028] Workqueue: events aer_isr > [70013.082053] Call Trace: > [70013.082067] dump_stack+0x8b/0xbb > [70013.082086] print_address_description+0x6a/0x270 > [70013.082102] kasan_report+0x179/0x2c0 > [70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] > [70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core] > [70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core] > [70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core] > [70013.082377] remove_one+0x200/0x2b0 [mlx5_core] > [70013.082409] pci_device_remove+0xf3/0x280 > [70013.082439] device_release_driver_internal+0x1c3/0x470 > [70013.082453] pci_stop_bus_device+0x109/0x160 > [70013.082468] pci_stop_and_remove_bus_device+0xe/0x20 > [70013.082485] pcie_do_fatal_recovery+0x167/0x550 > [70013.082493] aer_isr+0x7d2/0x960 > [70013.082543] process_one_work+0x65f/0x12d0 > [70013.082556] worker_thread+0x87/0xb50 > [70013.082571] kthread+0x2e9/0x3a0 > [70013.082592] ret_from_fork+0x1f/0x40 > It is better if you also put the diagram [1] in the commit log, that is easy to understand. [1] https://www.spinics.net/lists/netdev/msg951955.html > Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") > Reviewed-by: Moshe Shemesh > Signed-off-by: Shifeng Li -- Thanks, - Ding Hui