From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Juergen Gross <jgross@suse.com>,
Jan Beulich <jbeulich@suse.com>, Paul Durrant <paul@xen.org>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.4 06/71] xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
Date: Tue, 19 Jul 2022 13:53:29 +0200 [thread overview]
Message-ID: <20220719114552.941821660@linuxfoundation.org> (raw)
In-Reply-To: <20220719114552.477018590@linuxfoundation.org>
From: Juergen Gross <jgross@suse.com>
commit 94e8100678889ab428e68acadf042de723f094b9 upstream.
xenvif_rx_next_skb() is expecting the rx queue not being empty, but
in case the loop in xenvif_rx_action() is doing multiple iterations,
the availability of another skb in the rx queue is not being checked.
This can lead to crashes:
[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback]
[40072.537534] PGD 0 P4D 0
[40072.537644] Oops: 0000 [#1] SMP NOPTI
[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5
[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021
[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000
[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback]
[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246
[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7
[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8
[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008
[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708
[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0
[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000
[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660
[40072.539211] Call Trace:
[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback]
[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback]
Fix that by stopping the loop in case the rx queue becomes empty.
Cc: stable@vger.kernel.org
Fixes: 98f6d57ced73 ("xen-netback: process guest rx packets in batches")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/xen-netback/rx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -482,6 +482,7 @@ void xenvif_rx_action(struct xenvif_queu
queue->rx_copy.completed = &completed_skbs;
while (xenvif_rx_ring_slots_available(queue) &&
+ !skb_queue_empty(&queue->rx_queue) &&
work_done < RX_BATCH_SIZE) {
xenvif_rx_skb(queue);
work_done++;
next prev parent reply other threads:[~2022-07-19 12:10 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-19 11:53 [PATCH 5.4 00/71] 5.4.207-rc1 review Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 01/71] ALSA: hda - Add fixup for Dell Latitidue E5430 Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 02/71] ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 03/71] ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 04/71] ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 05/71] ALSA: hda/realtek - Enable the headset-mic on a Xiaomis laptop Greg Kroah-Hartman
2022-07-19 11:53 ` Greg Kroah-Hartman [this message]
2022-07-19 11:53 ` [PATCH 5.4 07/71] tracing/histograms: Fix memory leak problem Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 08/71] net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 09/71] ip: fix dflt addr selection for connected nexthop Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 10/71] ARM: 9213/1: Print message about disabled Spectre workarounds only once Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 11/71] ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 12/71] wifi: mac80211: fix queue selection for mesh/OCB interfaces Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 13/71] cgroup: Use separate src/dst nodes when preloading css_sets for migration Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 14/71] drm/panfrost: Fix shrinker list corruption by madvise IOCTL Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 15/71] nilfs2: fix incorrect masking of permission flags for symlinks Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 16/71] Revert "evm: Fix memleak in init_desc" Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 17/71] sched/rt: Disable RT_RUNTIME_SHARE by default Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 18/71] ext4: fix race condition between ext4_write and ext4_convert_inline_data Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 19/71] ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 20/71] ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 21/71] ARM: 9210/1: Mark the FDT_FIXED sections as shareable Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 22/71] drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 23/71] ima: Fix a potential integer overflow in ima_appraise_measurement Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 24/71] ASoC: sgtl5000: Fix noise on shutdown/remove Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 25/71] net: stmmac: dwc-qos: Disable split header for Tegra194 Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 26/71] inetpeer: Fix data-races around sysctl Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 27/71] net: Fix data-races around sysctl_mem Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 28/71] cipso: Fix data-races around sysctl Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 29/71] icmp: " Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 30/71] ipv4: Fix a data-race around sysctl_fib_sync_mem Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 31/71] ARM: dts: at91: sama5d2: Fix typo in i2s1 node Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 32/71] ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 33/71] drm/i915/gt: Serialize TLB invalidates with GT resets Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 34/71] icmp: Fix a data-race around sysctl_icmp_ratelimit Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 35/71] icmp: Fix a data-race around sysctl_icmp_ratemask Greg Kroah-Hartman
2022-07-19 11:53 ` [PATCH 5.4 36/71] raw: Fix a data-race around sysctl_raw_l3mdev_accept Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 37/71] ipv4: Fix data-races around sysctl_ip_dynaddr Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 38/71] net: ftgmac100: Hold reference returned by of_get_child_by_name() Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 39/71] sfc: fix use after free when disabling sriov Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 40/71] seg6: fix skb checksum evaluation in SRH encapsulation/insertion Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 41/71] seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 42/71] seg6: bpf: fix skb checksum in bpf_push_seg6_encap() Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 43/71] sfc: fix kernel panic when creating VF Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 44/71] mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 45/71] virtio_mmio: Add missing PM calls to freeze/restore Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 46/71] virtio_mmio: Restore guest page size on resume Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 47/71] netfilter: br_netfilter: do not skip all hooks with 0 priority Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 48/71] cpufreq: pmac32-cpufreq: Fix refcount leak bug Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 49/71] platform/x86: hp-wmi: Ignore Sanitization Mode event Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 50/71] net: tipc: fix possible refcount leak in tipc_sk_create() Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 51/71] NFC: nxp-nci: dont print header length mismatch on i2c error Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 52/71] nvme: fix regression when disconnect a recovering ctrl Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 53/71] net: sfp: fix memory leak in sfp_probe() Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 54/71] ASoC: ops: Fix off by one in range control validation Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 55/71] ASoC: wm5110: Fix DRE control Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 56/71] ASoC: cs47l15: Fix event generation for low power mux control Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 57/71] ASoC: madera: Fix event generation for OUT1 demux Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 58/71] ASoC: madera: Fix event generation for rate controls Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 59/71] irqchip: or1k-pic: Undefine mask_ack for level triggered hardware Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 60/71] x86: Clear .brk area at early boot Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 61/71] soc: ixp4xx/npe: Fix unused match warning Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 62/71] ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 63/71] signal handling: dont use BUG_ON() for debugging Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 64/71] USB: serial: ftdi_sio: add Belimo device ids Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 65/71] usb: typec: add missing uevent when partner support PD Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 66/71] usb: dwc3: gadget: Fix event pending check Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 67/71] tty: serial: samsung_tty: set dma burst_size to 1 Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 68/71] serial: 8250: fix return error code in serial8250_request_std_resource() Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 69/71] serial: stm32: Clear prev values before setting RTS delays Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 70/71] serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle Greg Kroah-Hartman
2022-07-19 11:54 ` [PATCH 5.4 71/71] can: m_can: m_can_tx_handler(): fix use after free of skb Greg Kroah-Hartman
2022-07-19 18:11 ` [PATCH 5.4 00/71] 5.4.207-rc1 review Florian Fainelli
2022-07-20 0:59 ` Samuel Zou
2022-07-20 6:18 ` Guenter Roeck
2022-07-20 8:40 ` Jon Hunter
2022-07-20 9:42 ` Naresh Kamboju
2022-07-20 14:50 ` Sudip Mukherjee (Codethink)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220719114552.941821660@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@xen.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.