[net 05/12] net/mlx5e: Destroy page pool after XDP SQ to fix use-after-free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Leon Romanovsky <leonro@nvidia.com>,
	Tariq Toukan <tariqt@nvidia.com>,
	Maxim Mikityanskiy <maximmi@nvidia.com>,
	Saeed Mahameed <saeedm@nvidia.com>
Subject: [net 05/12] net/mlx5e: Destroy page pool after XDP SQ to fix use-after-free
Date: Mon,  9 Aug 2021 20:59:16 -0700	[thread overview]
Message-ID: <20210810035923.345745-6-saeed@kernel.org> (raw)
In-Reply-To: <20210810035923.345745-1-saeed@kernel.org>

From: Maxim Mikityanskiy <maximmi@nvidia.com>

mlx5e_close_xdpsq does the cleanup: it calls mlx5e_free_xdpsq_descs to
free the outstanding descriptors, which relies on
mlx5e_page_release_dynamic and page_pool_release_page. However,
page_pool_destroy is already called by this point, because
mlx5e_close_rq runs before mlx5e_close_xdpsq.

This commit fixes the use-after-free by swapping mlx5e_close_xdpsq and
mlx5e_close_rq.

The commit cited below started calling page_pool_destroy directly from
the driver. Previously, the page pool was destroyed under a call_rcu
from xdp_rxq_info_unreg_mem_model, which would defer the deallocation
until after the XDPSQ is cleaned up.

Fixes: 1da4bbeffe41 ("net: core: page_pool: add user refcnt and reintroduce page_pool_destroy")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 37c440837945..fd250f7bcd88 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -1891,30 +1891,30 @@ static int mlx5e_open_queues(struct mlx5e_channel *c,
 	if (err)
 		goto err_close_icosq;
 
+	err = mlx5e_open_rxq_rq(c, params, &cparam->rq);
+	if (err)
+		goto err_close_sqs;
+
 	if (c->xdp) {
 		err = mlx5e_open_xdpsq(c, params, &cparam->xdp_sq, NULL,
 				       &c->rq_xdpsq, false);
 		if (err)
-			goto err_close_sqs;
+			goto err_close_rq;
 	}
 
-	err = mlx5e_open_rxq_rq(c, params, &cparam->rq);
-	if (err)
-		goto err_close_xdp_sq;
-
 	err = mlx5e_open_xdpsq(c, params, &cparam->xdp_sq, NULL, &c->xdpsq, true);
 	if (err)
-		goto err_close_rq;
+		goto err_close_xdp_sq;
 
 	return 0;
 
-err_close_rq:
-	mlx5e_close_rq(&c->rq);
-
 err_close_xdp_sq:
 	if (c->xdp)
 		mlx5e_close_xdpsq(&c->rq_xdpsq);
 
+err_close_rq:
+	mlx5e_close_rq(&c->rq);
+
 err_close_sqs:
 	mlx5e_close_sqs(c);
 
@@ -1949,9 +1949,9 @@ static int mlx5e_open_queues(struct mlx5e_channel *c,
 static void mlx5e_close_queues(struct mlx5e_channel *c)
 {
 	mlx5e_close_xdpsq(&c->xdpsq);
-	mlx5e_close_rq(&c->rq);
 	if (c->xdp)
 		mlx5e_close_xdpsq(&c->rq_xdpsq);
+	mlx5e_close_rq(&c->rq);
 	mlx5e_close_sqs(c);
 	mlx5e_close_icosq(&c->icosq);
 	mlx5e_close_icosq(&c->async_icosq);
-- 
2.31.1

next prev parent reply	other threads:[~2021-08-10  3:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-10  3:59 [pull request][net 00/12] mlx5 fixes 2021-08-09 Saeed Mahameed
2021-08-10  3:59 ` [net 01/12] net/mlx5: Don't skip subfunction cleanup in case of error in module init Saeed Mahameed
2021-08-10  8:53   ` patchwork-bot+netdevbpf
2021-08-10  3:59 ` [net 02/12] net/mlx5: DR, Add fail on error check on decap Saeed Mahameed
2021-08-10  3:59 ` [net 03/12] net/mlx5e: Avoid creating tunnel headers for local route Saeed Mahameed
2021-08-10  3:59 ` [net 04/12] net/mlx5: Bridge, fix ageing time Saeed Mahameed
2021-08-10  3:59 ` Saeed Mahameed [this message]
2021-08-10  3:59 ` [net 06/12] net/mlx5: Block switchdev mode while devlink traps are active Saeed Mahameed
2021-08-10  3:59 ` [net 07/12] net/mlx5: Fix order of functions in mlx5_irq_detach_nb() Saeed Mahameed
2021-08-10  3:59 ` [net 08/12] net/mlx5: Set all field of mlx5_irq before inserting it to the xarray Saeed Mahameed
2021-08-10  3:59 ` [net 09/12] net/mlx5: Destroy pool->mutex Saeed Mahameed
2021-08-10  3:59 ` [net 10/12] net/mlx5e: TC, Fix error handling memory leak Saeed Mahameed
2021-08-10  3:59 ` [net 11/12] net/mlx5: Synchronize correct IRQ when destroying CQ Saeed Mahameed
2021-08-10  3:59 ` [net 12/12] net/mlx5: Fix return value from tracer initialization Saeed Mahameed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:37c44083794 dfblob:fd250f7bcd8 )
 OR (
bs:"[net 05/12] net/mlx5e: Destroy page pool after XDP SQ to fix use-after-free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210810035923.345745-6-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=leonro@nvidia.com \
    --cc=maximmi@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.