From: Simon Horman <horms@kernel.org>
To: Jacob Keller <jacob.e.keller@intel.com>
Cc: Anthony Nguyen <anthony.l.nguyen@intel.com>,
Intel Wired LAN <intel-wired-lan@lists.osuosl.org>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
vgrinber@redhat.com, netdev@vger.kernel.org
Subject: Re: [Intel-wired-lan] [PATCH iwl-net 1/2] ice: fix double-call to ice_deinit_hw() during probe failure
Date: Fri, 18 Jul 2025 17:50:57 +0100 [thread overview]
Message-ID: <20250718165057.GJ2459@horms.kernel.org> (raw)
In-Reply-To: <20250717-jk-ddp-safe-mode-issue-v1-1-e113b2baed79@intel.com>
On Thu, Jul 17, 2025 at 09:57:08AM -0700, Jacob Keller wrote:
> The following (and similar) KFENCE bugs have recently been found occurring
> during certain error flows of the ice_probe() function:
>
> kernel: ==================================================================
> kernel: BUG: KFENCE: use-after-free read in ice_cleanup_fltr_mgmt_struct+0x1d
> kernel: Use-after-free read at 0x00000000e72fe5ed (in kfence-#223):
> kernel: ice_cleanup_fltr_mgmt_struct+0x1d/0x200 [ice]
> kernel: ice_deinit_hw+0x1e/0x60 [ice]
> kernel: ice_probe+0x245/0x2e0 [ice]
> kernel:
> kernel: kfence-#223: <..snip..>
> kernel: allocated by task 7553 on cpu 0 at 2243.527621s (198.108303s ago):
> kernel: devm_kmalloc+0x57/0x120
> kernel: ice_init_hw+0x491/0x8e0 [ice]
> kernel: ice_probe+0x203/0x2e0 [ice]
> kernel:
> kernel: freed by task 7553 on cpu 0 at 2441.509158s (0.175707s ago):
> kernel: ice_deinit_hw+0x1e/0x60 [ice]
> kernel: ice_init+0x1ad/0x570 [ice]
> kernel: ice_probe+0x22b/0x2e0 [ice]
> kernel:
> kernel: ==================================================================
>
> These occur as the result of a double-call to ice_deinit_hw(). This double
> call happens if ice_init() fails at any point after calling
> ice_init_dev().
>
> Upon errors, ice_init() calls ice_deinit_dev(), which is supposed to be the
> inverse of ice_init_dev(). However, currently ice_init_dev() does not call
> ice_init_hw(). Instead, ice_init_hw() is called by ice_probe(). Thus,
> ice_probe() itself calls ice_deinit_hw() as part of its error cleanup
> logic.
>
> This results in two calls to ice_deinit_hw() which results in straight
> forward use-after-free violations due to double calling kfree and other
> cleanup functions.
>
> To avoid this double call, move the call to ice_init_hw() into
> ice_init_dev(), and remove the now logically unnecessary cleanup from
> ice_probe(). This is simpler than the alternative of moving ice_deinit_hw()
> *out* of ice_deinit_dev().
>
> Moving the calls to ice_deinit_hw() requires validating all cleanup paths,
> and changing significantly more code. Moving the calls of ice_init_hw()
> requires only validating that the new placement is still prior to all HW
> structure accesses.
>
> For ice_probe(), this now delays ice_init_hw() from before
> ice_adapter_get() to just after it. This is safe, as ice_adapter_get() does
> not rely on the HW structure.
>
> For ice_devlink_reinit_up(), the ice_init_hw() is now called after
> ice_set_min_max_msix(). This is also safe as that function does not access
> the HW structure either.
>
> This flow makes more logical sense, as ice_init_dev() is mirrored by
> ice_deinit_dev(), so it reasonably should be the caller of ice_init_hw().
> It also reduces one extra call to ice_init_hw() since both ice_probe() and
> ice_devlink_reinit_up() call ice_init_dev().
>
> This resolves the double-free and avoids memory corruption and other
> invalid memory accesses in the event of a failed probe.
>
> Fixes: 5b246e533d01 ("ice: split probe into smaller functions")
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Thanks for the detailed explanation.
Reviewed-by: Simon Horman <horms@kernel.org>
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: Jacob Keller <jacob.e.keller@intel.com>
Cc: Anthony Nguyen <anthony.l.nguyen@intel.com>,
Intel Wired LAN <intel-wired-lan@lists.osuosl.org>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>,
vgrinber@redhat.com, netdev@vger.kernel.org
Subject: Re: [PATCH iwl-net 1/2] ice: fix double-call to ice_deinit_hw() during probe failure
Date: Fri, 18 Jul 2025 17:50:57 +0100 [thread overview]
Message-ID: <20250718165057.GJ2459@horms.kernel.org> (raw)
In-Reply-To: <20250717-jk-ddp-safe-mode-issue-v1-1-e113b2baed79@intel.com>
On Thu, Jul 17, 2025 at 09:57:08AM -0700, Jacob Keller wrote:
> The following (and similar) KFENCE bugs have recently been found occurring
> during certain error flows of the ice_probe() function:
>
> kernel: ==================================================================
> kernel: BUG: KFENCE: use-after-free read in ice_cleanup_fltr_mgmt_struct+0x1d
> kernel: Use-after-free read at 0x00000000e72fe5ed (in kfence-#223):
> kernel: ice_cleanup_fltr_mgmt_struct+0x1d/0x200 [ice]
> kernel: ice_deinit_hw+0x1e/0x60 [ice]
> kernel: ice_probe+0x245/0x2e0 [ice]
> kernel:
> kernel: kfence-#223: <..snip..>
> kernel: allocated by task 7553 on cpu 0 at 2243.527621s (198.108303s ago):
> kernel: devm_kmalloc+0x57/0x120
> kernel: ice_init_hw+0x491/0x8e0 [ice]
> kernel: ice_probe+0x203/0x2e0 [ice]
> kernel:
> kernel: freed by task 7553 on cpu 0 at 2441.509158s (0.175707s ago):
> kernel: ice_deinit_hw+0x1e/0x60 [ice]
> kernel: ice_init+0x1ad/0x570 [ice]
> kernel: ice_probe+0x22b/0x2e0 [ice]
> kernel:
> kernel: ==================================================================
>
> These occur as the result of a double-call to ice_deinit_hw(). This double
> call happens if ice_init() fails at any point after calling
> ice_init_dev().
>
> Upon errors, ice_init() calls ice_deinit_dev(), which is supposed to be the
> inverse of ice_init_dev(). However, currently ice_init_dev() does not call
> ice_init_hw(). Instead, ice_init_hw() is called by ice_probe(). Thus,
> ice_probe() itself calls ice_deinit_hw() as part of its error cleanup
> logic.
>
> This results in two calls to ice_deinit_hw() which results in straight
> forward use-after-free violations due to double calling kfree and other
> cleanup functions.
>
> To avoid this double call, move the call to ice_init_hw() into
> ice_init_dev(), and remove the now logically unnecessary cleanup from
> ice_probe(). This is simpler than the alternative of moving ice_deinit_hw()
> *out* of ice_deinit_dev().
>
> Moving the calls to ice_deinit_hw() requires validating all cleanup paths,
> and changing significantly more code. Moving the calls of ice_init_hw()
> requires only validating that the new placement is still prior to all HW
> structure accesses.
>
> For ice_probe(), this now delays ice_init_hw() from before
> ice_adapter_get() to just after it. This is safe, as ice_adapter_get() does
> not rely on the HW structure.
>
> For ice_devlink_reinit_up(), the ice_init_hw() is now called after
> ice_set_min_max_msix(). This is also safe as that function does not access
> the HW structure either.
>
> This flow makes more logical sense, as ice_init_dev() is mirrored by
> ice_deinit_dev(), so it reasonably should be the caller of ice_init_hw().
> It also reduces one extra call to ice_init_hw() since both ice_probe() and
> ice_devlink_reinit_up() call ice_init_dev().
>
> This resolves the double-free and avoids memory corruption and other
> invalid memory accesses in the event of a failed probe.
>
> Fixes: 5b246e533d01 ("ice: split probe into smaller functions")
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Thanks for the detailed explanation.
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2025-07-18 16:51 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 16:57 [Intel-wired-lan] [PATCH iwl-net 0/2] ice: fix issues with loading certain older DDP packages Jacob Keller
2025-07-17 16:57 ` Jacob Keller
2025-07-17 16:57 ` [Intel-wired-lan] [PATCH iwl-net 1/2] ice: fix double-call to ice_deinit_hw() during probe failure Jacob Keller
2025-07-17 16:57 ` Jacob Keller
2025-07-18 16:50 ` Simon Horman [this message]
2025-07-18 16:50 ` Simon Horman
2025-07-21 15:00 ` [Intel-wired-lan] " Loktionov, Aleksandr
2025-07-21 15:00 ` Loktionov, Aleksandr
2025-08-18 10:27 ` [Intel-wired-lan] " Przemek Kitszel
2025-08-18 10:27 ` Przemek Kitszel
2025-08-18 22:38 ` [Intel-wired-lan] " Jacob Keller
2025-08-18 22:38 ` Jacob Keller
2025-08-18 16:21 ` [Intel-wired-lan] " Rinitha, SX
2025-08-18 16:21 ` Rinitha, SX
2025-07-17 16:57 ` [Intel-wired-lan] [PATCH iwl-net 2/2] ice: don't leave device non-functional if Tx scheduler config fails Jacob Keller
2025-07-17 16:57 ` Jacob Keller
2025-07-18 16:50 ` [Intel-wired-lan] " Simon Horman
2025-07-18 16:50 ` Simon Horman
2025-07-18 19:56 ` [Intel-wired-lan] " Jacob Keller
2025-07-18 19:56 ` Jacob Keller
2025-07-18 20:08 ` [Intel-wired-lan] " Simon Horman
2025-07-18 20:08 ` Simon Horman
2025-08-18 16:21 ` [Intel-wired-lan] " Rinitha, SX
2025-08-18 16:21 ` Rinitha, SX
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250718165057.GJ2459@horms.kernel.org \
--to=horms@kernel.org \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jacob.e.keller@intel.com \
--cc=netdev@vger.kernel.org \
--cc=vgrinber@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.