From: Jason Gunthorpe <jgg@ziepe.ca>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-rdma@vger.kernel.org, Adit Ranadive <aditr@vmware.com>,
VMware PV-Drivers <pv-drivers@vmware.com>,
Doug Ledford <dledford@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] vmw_pvrdma: Release netdev when vmxnet3 module is removed
Date: Tue, 3 Jul 2018 15:53:25 -0600 [thread overview]
Message-ID: <20180703215325.GA29072@ziepe.ca> (raw)
In-Reply-To: <20180629115206.18787-1-nhorman@tuxdriver.com>
On Fri, Jun 29, 2018 at 07:52:06AM -0400, Neil Horman wrote:
> On repeated module load/unload cycles, its possible for the pvrmda
> driver to encounter this crash:
>
> ...
> 297.032448] RIP: 0010:[<ffffffff839e4620>] [<ffffffff839e4620>] netdev_walk_all_upper_dev_rcu+0x50/0xb0
> [ 297.034078] RSP: 0018:ffff95087780bd08 EFLAGS: 00010286
> [ 297.034986] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff95087a0c0000
> [ 297.036196] RDX: ffff95087a0c0000 RSI: ffffffff839e44e0 RDI: ffff950835d0c000
> [ 297.037421] RBP: ffff95087780bd40 R08: ffff95087a0e0ea0 R09: abddacd03f8e0ea0
> [ 297.038636] R10: abddacd03f8e0ea0 R11: ffffef5901e9dbc0 R12: ffff95087a0c0000
> [ 297.039854] R13: ffffffff839e44e0 R14: ffff95087a0c0000 R15: ffff950835d0c828
> [ 297.041071] FS: 0000000000000000(0000) GS:ffff95087fc00000(0000) knlGS:0000000000000000
> [ 297.042443] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 297.043429] CR2: ffffffffffffffe8 CR3: 000000007a652000 CR4: 00000000003607f0
> [ 297.044674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 297.045893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 297.047109] Call Trace:
> [ 297.047545] [<ffffffff839e4698>] netdev_has_upper_dev_all_rcu+0x18/0x20
> [ 297.048691] [<ffffffffc05d31af>] is_eth_port_of_netdev+0x2f/0xa0 [ib_core]
> [ 297.049886] [<ffffffffc05d3180>] ? is_eth_active_slave_of_bonding_rcu+0x70/0x70 [ib_core]
> ...
>
> This occurs because vmw_pvrdma on probe stores a pointer to the netdev
> that exists on function 0 of the same bus/device/slot (which represents
> the vmxnet3 ethernet driver). However, it never removes this pointer if
> the vmxnet3 module is removed, leading to crashes resulting from use
> after free dereferencing incidents like the one above.
>
> The fix is pretty straightforward. vmw_pvrdma should listen for
> NETDEV_REGISTER and NETDEV_UNREGISTER events in its event listener code
> block, and update the stored netdev pointer accordingly. This solution
> has been tested by myself and the reporter with successful results.
> This fix also allows the pvrdma driver to find its underlying ethernet
> device in the event that vmxnet3 is loaded after pvrdma, which it was
> not able to do before.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: ruquin@redhat.com
> CC: Adit Ranadive <aditr@vmware.com>
> CC: VMware PV-Drivers <pv-drivers@vmware.com>
> CC: Doug Ledford <dledford@redhat.com>
> CC: Jason Gunthorpe <jgg@ziepe.ca>
> CC: linux-kernel@vger.kernel.org
> Tested-by: Adit Ranadive <aditr@vmware.com>
> Acked-by: Adit Ranadive <aditr@vmware.com>
> ---
> Change notes
>
> v2)
> * Move dev_hold in pvrda_pci_probe to below null check (aditr)
> * Add dev_puts to probe error path and pvrda_pci_remove (jgg)
> * Cleaned up some checkpatch warnings (nhorman)
> ---
> .../infiniband/hw/vmw_pvrdma/pvrdma_main.c | 39 ++++++++++++++++++-
> 1 file changed, 37 insertions(+), 2 deletions(-)
Appled to for-next
Thanks,
Jason
next prev parent reply other threads:[~2018-07-03 21:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-28 13:59 [PATCH] vmw_pvrdma: Release netdev when vmxnet3 module is removed Neil Horman
2018-06-28 18:59 ` Jason Gunthorpe
2018-06-28 19:45 ` Neil Horman
2018-06-28 20:37 ` Jason Gunthorpe
2018-06-28 21:15 ` Adit Ranadive
2018-06-29 11:33 ` Neil Horman
2018-06-29 11:21 ` Neil Horman
2018-06-29 11:52 ` [PATCH v2] " Neil Horman
2018-07-02 23:30 ` Adit Ranadive
2018-07-03 21:53 ` Jason Gunthorpe [this message]
2018-06-30 19:15 ` [PATCH] " Dan Carpenter
2018-06-30 19:15 ` Dan Carpenter
2018-07-01 12:18 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180703215325.GA29072@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=aditr@vmware.com \
--cc=dledford@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pv-drivers@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.