From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zumeng Chen <zumeng.chen@gmail.com>,
Michael Chan <michael.chan@broadcom.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 19/33] tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
Date: Fri, 18 May 2018 10:15:58 +0200 [thread overview]
Message-ID: <20180518081535.871300724@linuxfoundation.org> (raw)
In-Reply-To: <20180518081535.096308218@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Chan <michael.chan@broadcom.com>
[ Upstream commit d89a2adb8bfe6f8949ff389acdb9fa298b6e8e12 ]
tg3_free_consistent() calls dma_free_coherent() to free tp->hw_stats
under spinlock and can trigger BUG_ON() in vunmap() because vunmap()
may sleep. Fix it by removing the spinlock and relying on the
TG3_FLAG_INIT_COMPLETE flag to prevent race conditions between
tg3_get_stats64() and tg3_free_consistent(). TG3_FLAG_INIT_COMPLETE
is always cleared under tp->lock before tg3_free_consistent()
and therefore tg3_get_stats64() can safely access tp->hw_stats
under tp->lock if TG3_FLAG_INIT_COMPLETE is set.
Fixes: f5992b72ebe0 ("tg3: Fix race condition in tg3_get_stats64().")
Reported-by: Zumeng Chen <zumeng.chen@gmail.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/tg3.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -8720,14 +8720,15 @@ static void tg3_free_consistent(struct t
tg3_mem_rx_release(tp);
tg3_mem_tx_release(tp);
- /* Protect tg3_get_stats64() from reading freed tp->hw_stats. */
- tg3_full_lock(tp, 0);
+ /* tp->hw_stats can be referenced safely:
+ * 1. under rtnl_lock
+ * 2. or under tp->lock if TG3_FLAG_INIT_COMPLETE is set.
+ */
if (tp->hw_stats) {
dma_free_coherent(&tp->pdev->dev, sizeof(struct tg3_hw_stats),
tp->hw_stats, tp->stats_mapping);
tp->hw_stats = NULL;
}
- tg3_full_unlock(tp);
}
/*
@@ -14161,7 +14162,7 @@ static struct rtnl_link_stats64 *tg3_get
struct tg3 *tp = netdev_priv(dev);
spin_lock_bh(&tp->lock);
- if (!tp->hw_stats) {
+ if (!tp->hw_stats || !tg3_flag(tp, INIT_COMPLETE)) {
*stats = tp->net_stats_prev;
spin_unlock_bh(&tp->lock);
return stats;
next prev parent reply other threads:[~2018-05-18 8:15 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 8:15 [PATCH 4.9 00/33] 4.9.101-stable review Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 01/33] 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 02/33] bridge: check iface upper dev when setting master via ioctl Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 04/33] ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 05/33] llc: better deal with too small mtu Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 06/33] net: ethernet: sun: niu set correct packet size in skb Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 07/33] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 08/33] net/mlx4_en: Verify coalescing parameters are in range Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 09/33] net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 10/33] net_sched: fq: take care of throttled flows before reuse Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 11/33] net: support compat 64-bit time in {s,g}etsockopt Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 12/33] openvswitch: Dont swap table in nlattr_set() after OVS_ATTR_NESTED is found Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 13/33] qmi_wwan: do not steal interfaces from class drivers Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 14/33] r8169: fix powering up RTL8168h Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 15/33] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 16/33] sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 17/33] sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 18/33] tcp_bbr: fix to zero idle_restart only upon S/ACKed data Greg Kroah-Hartman
2018-05-18 8:15 ` Greg Kroah-Hartman [this message]
2018-05-18 8:15 ` [PATCH 4.9 20/33] bonding: do not allow rlb updates to invalid mac Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 21/33] net/mlx5: Avoid cleaning flow steering table twice during error flow Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 22/33] bonding: send learning packets for vlans on slave Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 23/33] tcp: ignore Fast Open on repair mode Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 24/33] sctp: fix the issue that the cookie-ack with auth cant get processed Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 25/33] sctp: delay the authentication for the duplicated cookie-echo chunk Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 26/33] serial: sccnxp: Fix error handling in sccnxp_probe() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 27/33] futex: Remove duplicated code and fix undefined behaviour Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` [OpenRISC] " Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 28/33] xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 29/33] lockd: lost rollback of set_grace_period() in lockd_down_net() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 30/33] Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 31/33] l2tp: revert "l2tp: fix missing print session offset info" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 32/33] nfp: TX time stamp packets before HW doorbell is rung Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 33/33] proc: do not access cmdline nor environ from file-backed areas Greg Kroah-Hartman
2018-05-18 13:20 ` [PATCH 4.9 00/33] 4.9.101-stable review Guenter Roeck
2018-05-18 14:05 ` kernelci.org bot
2018-05-18 19:02 ` Naresh Kamboju
2018-05-18 20:47 ` Shuah Khan
-- strict thread matches above, loose matches on Subject: below --
2018-05-18 8:15 [PATCH 4.9 03/33] dccp: fix tasklet usage Greg Kroah-Hartman
2018-05-18 8:15 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518081535.871300724@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.chan@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=zumeng.chen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.