diff for duplicates of <20260323134535.806303704@linuxfoundation.org> diff --git a/a/1.txt b/N1/1.txt index 6911a86..25b6a52 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,65 +1,48 @@ -6.6-stable review patch. If anyone has any objections, please let me know. +6.1-stable review patch. If anyone has any objections, please let me know. ------------------ -From: Mario Limonciello <mario.limonciello@amd.com> +From: Pablo Neira Ayuso <pablo@netfilter.org> -[ Upstream commit f7afda7fcd169a9168695247d07ad94cf7b9798f ] +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] -The commit 6a23e7b4332c ("drm/amd: Clean up kfd node on surprise -disconnect") introduced early KFD cleanup when drm_dev_is_unplugged() -returns true. However, this causes hangs during normal module unload -(rmmod amdgpu). +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. -The issue occurs because drm_dev_unplug() is called in amdgpu_pci_remove() -for all removal scenarios, not just surprise disconnects. This was done -intentionally in commit 39934d3ed572 ("Revert "drm/amdgpu: TA unload -messages are not actually sent to psp when amdgpu is uninstalled"") to -fix IGT PCI software unplug test failures. As a result, -drm_dev_is_unplugged() returns true even during normal module unload, -triggering the early KFD cleanup inappropriately. +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). -The correct check should distinguish between: -- Actual surprise disconnect (eGPU unplugged): pci_dev_is_disconnected() - returns true -- Normal module unload (rmmod): pci_dev_is_disconnected() returns false +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. -Replace drm_dev_is_unplugged() with pci_dev_is_disconnected() to ensure -the early cleanup only happens during true hardware disconnect events. +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. -Cc: stable@vger.kernel.org -Reported-by: Cal Peake <cp@absolutedigital.net> -Closes: https://lore.kernel.org/all/b0c22deb-c0fa-3343-33cf-fd9a77d7db99@absolutedigital.net/ -Fixes: 6a23e7b4332c ("drm/amd: Clean up kfd node on surprise disconnect") -Acked-by: Alex Deucher <alexander.deucher@amd.com> -Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> -Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian <yimingqian591@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org> --- - drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -index 9481d450809b5..1251303b52d21 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c -@@ -4034,7 +4034,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev) - * before ip_fini_early to prevent kfd locking refcount issues by calling - * amdgpu_amdkfd_suspend() - */ -- if (drm_dev_is_unplugged(adev_to_drm(adev))) -+ if (pci_dev_is_disconnected(adev->pdev)) - amdgpu_amdkfd_device_fini_sw(adev); - - amdgpu_device_ip_fini_early(adev); -@@ -4046,7 +4046,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev) - - amdgpu_gart_dummy_page_fini(adev); - -- if (drm_dev_is_unplugged(adev_to_drm(adev))) -+ if (pci_dev_is_disconnected(adev->pdev)) - amdgpu_device_unmap_mmio(adev); + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ac36183956515..11a5d5d715d56 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8279,6 +8279,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; - } + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); -- 2.51.0 diff --git a/a/content_digest b/N1/content_digest index a0196a4..5c77252 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,80 +1,63 @@ - "ref\020260323134533.749096647@linuxfoundation.org\0" + "ref\020260323134525.256603107@linuxfoundation.org\0" "From\0Greg Kroah-Hartman <gregkh@linuxfoundation.org>\0" - "Subject\0[PATCH 6.6 080/567] drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()\0" - "Date\0Mon, 23 Mar 2026 14:40:00 +0100\0" + "Subject\0[PATCH 6.1 435/481] netfilter: nf_tables: release flowtable after rcu grace period on error\0" + "Date\0Mon, 23 Mar 2026 14:46:57 +0100\0" "To\0stable@vger.kernel.org\0" "Cc\0Greg Kroah-Hartman <gregkh@linuxfoundation.org>" patches@lists.linux.dev - Cal Peake <cp@absolutedigital.net> - Alex Deucher <alexander.deucher@amd.com> - Mario Limonciello <mario.limonciello@amd.com> + Yiming Qian <yimingqian591@gmail.com> + Pablo Neira Ayuso <pablo@netfilter.org> + Florian Westphal <fw@strlen.de> " Sasha Levin <sashal@kernel.org>\0" "\00:1\0" "b\0" - "6.6-stable review patch. If anyone has any objections, please let me know.\n" + "6.1-stable review patch. If anyone has any objections, please let me know.\n" "\n" "------------------\n" "\n" - "From: Mario Limonciello <mario.limonciello@amd.com>\n" + "From: Pablo Neira Ayuso <pablo@netfilter.org>\n" "\n" - "[ Upstream commit f7afda7fcd169a9168695247d07ad94cf7b9798f ]\n" + "[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]\n" "\n" - "The commit 6a23e7b4332c (\"drm/amd: Clean up kfd node on surprise\n" - "disconnect\") introduced early KFD cleanup when drm_dev_is_unplugged()\n" - "returns true. However, this causes hangs during normal module unload\n" - "(rmmod amdgpu).\n" + "Call synchronize_rcu() after unregistering the hooks from error path,\n" + "since a hook that already refers to this flowtable can be already\n" + "registered, exposing this flowtable to packet path and nfnetlink_hook\n" + "control plane.\n" "\n" - "The issue occurs because drm_dev_unplug() is called in amdgpu_pci_remove()\n" - "for all removal scenarios, not just surprise disconnects. This was done\n" - "intentionally in commit 39934d3ed572 (\"Revert \"drm/amdgpu: TA unload\n" - "messages are not actually sent to psp when amdgpu is uninstalled\"\") to\n" - "fix IGT PCI software unplug test failures. As a result,\n" - "drm_dev_is_unplugged() returns true even during normal module unload,\n" - "triggering the early KFD cleanup inappropriately.\n" + "This error path is rare, it should only happen by reaching the maximum\n" + "number hooks or by failing to set up to hardware offload, just call\n" + "synchronize_rcu().\n" "\n" - "The correct check should distinguish between:\n" - "- Actual surprise disconnect (eGPU unplugged): pci_dev_is_disconnected()\n" - " returns true\n" - "- Normal module unload (rmmod): pci_dev_is_disconnected() returns false\n" + "There is a check for already used device hooks by different flowtable\n" + "that could result in EEXIST at this late stage. The hook parser can be\n" + "updated to perform this check earlier to this error path really becomes\n" + "rarely exercised.\n" "\n" - "Replace drm_dev_is_unplugged() with pci_dev_is_disconnected() to ensure\n" - "the early cleanup only happens during true hardware disconnect events.\n" + "Uncovered by KASAN reported as use-after-free from nfnetlink_hook path\n" + "when dumping hooks.\n" "\n" - "Cc: stable@vger.kernel.org\n" - "Reported-by: Cal Peake <cp@absolutedigital.net>\n" - "Closes: https://lore.kernel.org/all/b0c22deb-c0fa-3343-33cf-fd9a77d7db99@absolutedigital.net/\n" - "Fixes: 6a23e7b4332c (\"drm/amd: Clean up kfd node on surprise disconnect\")\n" - "Acked-by: Alex Deucher <alexander.deucher@amd.com>\n" - "Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>\n" - "Signed-off-by: Alex Deucher <alexander.deucher@amd.com>\n" + "Fixes: 3b49e2e94e6e (\"netfilter: nf_tables: add flow table netlink frontend\")\n" + "Reported-by: Yiming Qian <yimingqian591@gmail.com>\n" + "Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n" + "Signed-off-by: Florian Westphal <fw@strlen.de>\n" "Signed-off-by: Sasha Levin <sashal@kernel.org>\n" "---\n" - " drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++--\n" - " 1 file changed, 2 insertions(+), 2 deletions(-)\n" - "\n" - "diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c\n" - "index 9481d450809b5..1251303b52d21 100644\n" - "--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c\n" - "+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c\n" - "@@ -4034,7 +4034,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev)\n" - " \t * before ip_fini_early to prevent kfd locking refcount issues by calling\n" - " \t * amdgpu_amdkfd_suspend()\n" - " \t */\n" - "-\tif (drm_dev_is_unplugged(adev_to_drm(adev)))\n" - "+\tif (pci_dev_is_disconnected(adev->pdev))\n" - " \t\tamdgpu_amdkfd_device_fini_sw(adev);\n" - " \n" - " \tamdgpu_device_ip_fini_early(adev);\n" - "@@ -4046,7 +4046,7 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev)\n" - " \n" - " \tamdgpu_gart_dummy_page_fini(adev);\n" - " \n" - "-\tif (drm_dev_is_unplugged(adev_to_drm(adev)))\n" - "+\tif (pci_dev_is_disconnected(adev->pdev))\n" - " \t\tamdgpu_device_unmap_mmio(adev);\n" + " net/netfilter/nf_tables_api.c | 1 +\n" + " 1 file changed, 1 insertion(+)\n" + "\n" + "diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c\n" + "index ac36183956515..11a5d5d715d56 100644\n" + "--- a/net/netfilter/nf_tables_api.c\n" + "+++ b/net/netfilter/nf_tables_api.c\n" + "@@ -8279,6 +8279,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,\n" + " \treturn 0;\n" " \n" - " }\n" + " err_flowtable_hooks:\n" + "+\tsynchronize_rcu();\n" + " \tnft_trans_destroy(trans);\n" + " err_flowtable_trans:\n" + " \tnft_hooks_destroy(&flowtable->hook_list);\n" "-- \n" 2.51.0 -98a582f707b0eb487d304e0a54fc18ac8319665ad10c592db8c59f7086d8a816 +fa5520b650cc54120da8d0e2b0fc2163debb3ee358a3e50af1f4c4bc8d895632
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.