From: Simon Horman <horms@kernel.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: nex.sw.ncis.osdt.itp.upstreaming@intel.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Tony Nguyen <anthony.l.nguyen@intel.com>,
Jakub Kicinski <kuba@kernel.org>,
intel-wired-lan@lists.osuosl.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Intel-wired-lan] [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset
Date: Fri, 26 Jul 2024 17:09:54 +0100 [thread overview]
Message-ID: <20240726160954.GO97837@kernel.org> (raw)
In-Reply-To: <20240724134024.2182959-2-aleksander.lobakin@intel.com>
On Wed, Jul 24, 2024 at 03:40:22PM +0200, Alexander Lobakin wrote:
> The second tagged commit introduced a UAF, as it removed restoring
> q_vector->vport pointers after reinitializating the structures.
> This is due to that all queue allocation functions are performed here
> with the new temporary vport structure and those functions rewrite
> the backpointers to the vport. Then, this new struct is freed and
> the pointers start leading to nowhere.
>
> But generally speaking, the current logic is very fragile. It claims
> to be more reliable when the system is low on memory, but in fact, it
> consumes two times more memory as at the moment of running this
> function, there are two vports allocated with their queues and vectors.
> Moreover, it claims to prevent the driver from running into "bad state",
> but in fact, any error during the rebuild leaves the old vport in the
> partially allocated state.
> Finally, if the interface is down when the function is called, it always
> allocates a new queue set, but when the user decides to enable the
> interface later on, vport_open() allocates them once again, IOW there's
> a clear memory leak here.
>
> Just don't allocate a new queue set when performing a reset, that solves
> crashes and memory leaks. Readd the old queue number and reopen the
> interface on rollback - that solves limbo states when the device is left
> disabled and/or without HW queues enabled.
>
> Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
> Fixes: e4891e4687c8 ("idpf: split &idpf_queue into 4 strictly-typed queue structures")
> Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
> ---
> drivers/net/ethernet/intel/idpf/idpf_lib.c | 30 +++++++++++-----------
> 1 file changed, 15 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
...
> @@ -1932,17 +1926,23 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
>
> err = idpf_set_real_num_queues(vport);
> if (err)
> - goto err_reset;
> + goto err_open;
>
> if (current_state == __IDPF_VPORT_UP)
> - err = idpf_vport_open(vport, false);
> + err = idpf_vport_open(vport);
>
> kfree(new_vport);
>
> return err;
>
> err_reset:
> - idpf_vport_queues_rel(new_vport);
> + idpf_send_add_queues_msg(vport, vport->num_txq, vport->num_complq,
> + vport->num_rxq, vport->num_bufq);
> +
> +err_open:
> + if (current_state == __IDPF_VPORT_UP)
> + idpf_vport_open(vport);
Hi Alexander,
Can the system end up in an odd state if this call to idpf_vport_open(), or
the one above, fails. Likewise if the above call to
idpf_send_add_queues_msg() fails.
> +
> free_vport:
> kfree(new_vport);
>
...
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: intel-wired-lan@lists.osuosl.org,
Tony Nguyen <anthony.l.nguyen@intel.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
nex.sw.ncis.osdt.itp.upstreaming@intel.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset
Date: Fri, 26 Jul 2024 17:09:54 +0100 [thread overview]
Message-ID: <20240726160954.GO97837@kernel.org> (raw)
In-Reply-To: <20240724134024.2182959-2-aleksander.lobakin@intel.com>
On Wed, Jul 24, 2024 at 03:40:22PM +0200, Alexander Lobakin wrote:
> The second tagged commit introduced a UAF, as it removed restoring
> q_vector->vport pointers after reinitializating the structures.
> This is due to that all queue allocation functions are performed here
> with the new temporary vport structure and those functions rewrite
> the backpointers to the vport. Then, this new struct is freed and
> the pointers start leading to nowhere.
>
> But generally speaking, the current logic is very fragile. It claims
> to be more reliable when the system is low on memory, but in fact, it
> consumes two times more memory as at the moment of running this
> function, there are two vports allocated with their queues and vectors.
> Moreover, it claims to prevent the driver from running into "bad state",
> but in fact, any error during the rebuild leaves the old vport in the
> partially allocated state.
> Finally, if the interface is down when the function is called, it always
> allocates a new queue set, but when the user decides to enable the
> interface later on, vport_open() allocates them once again, IOW there's
> a clear memory leak here.
>
> Just don't allocate a new queue set when performing a reset, that solves
> crashes and memory leaks. Readd the old queue number and reopen the
> interface on rollback - that solves limbo states when the device is left
> disabled and/or without HW queues enabled.
>
> Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
> Fixes: e4891e4687c8 ("idpf: split &idpf_queue into 4 strictly-typed queue structures")
> Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
> ---
> drivers/net/ethernet/intel/idpf/idpf_lib.c | 30 +++++++++++-----------
> 1 file changed, 15 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
...
> @@ -1932,17 +1926,23 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
>
> err = idpf_set_real_num_queues(vport);
> if (err)
> - goto err_reset;
> + goto err_open;
>
> if (current_state == __IDPF_VPORT_UP)
> - err = idpf_vport_open(vport, false);
> + err = idpf_vport_open(vport);
>
> kfree(new_vport);
>
> return err;
>
> err_reset:
> - idpf_vport_queues_rel(new_vport);
> + idpf_send_add_queues_msg(vport, vport->num_txq, vport->num_complq,
> + vport->num_rxq, vport->num_bufq);
> +
> +err_open:
> + if (current_state == __IDPF_VPORT_UP)
> + idpf_vport_open(vport);
Hi Alexander,
Can the system end up in an odd state if this call to idpf_vport_open(), or
the one above, fails. Likewise if the above call to
idpf_send_add_queues_msg() fails.
> +
> free_vport:
> kfree(new_vport);
>
...
next prev parent reply other threads:[~2024-07-26 16:10 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 13:40 [Intel-wired-lan] [PATCH iwl-net 0/3] idpf: fix 3 bugs revealed by the Chapter I Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 1/3] idpf: fix memory leaks and crashes while performing a soft reset Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:09 ` Simon Horman [this message]
2024-07-26 16:09 ` Simon Horman
2024-07-29 8:54 ` [Intel-wired-lan] " Alexander Lobakin
2024-07-29 8:54 ` Alexander Lobakin
2024-07-30 11:03 ` [Intel-wired-lan] " Simon Horman
2024-07-30 11:03 ` Simon Horman
2024-07-30 16:37 ` [Intel-wired-lan] " Simon Horman
2024-07-30 16:37 ` Simon Horman
2024-08-02 0:21 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:21 ` Singh, Krishneil K
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 2/3] idpf: fix memleak in vport interrupt configuration Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:16 ` [Intel-wired-lan] " Simon Horman
2024-07-26 16:16 ` Simon Horman
2024-08-02 0:22 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:22 ` Singh, Krishneil K
2024-07-24 13:40 ` [Intel-wired-lan] [PATCH iwl-net 3/3] idpf: fix UAFs when destroying the queues Alexander Lobakin
2024-07-24 13:40 ` Alexander Lobakin
2024-07-26 16:22 ` [Intel-wired-lan] " Simon Horman
2024-07-26 16:22 ` Simon Horman
2024-08-02 0:23 ` [Intel-wired-lan] " Singh, Krishneil K
2024-08-02 0:23 ` Singh, Krishneil K
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240726160954.GO97837@kernel.org \
--to=horms@kernel.org \
--cc=aleksander.lobakin@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nex.sw.ncis.osdt.itp.upstreaming@intel.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.