From: Haiyang Zhang <haiyangz@microsoft.com>
To: linux-hyperv@vger.kernel.org, netdev@vger.kernel.org
Cc: haiyangz@microsoft.com, decui@microsoft.com, kys@microsoft.com,
paulros@microsoft.com, olaf@aepfle.de, vkuznets@redhat.com,
davem@davemloft.net, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: [PATCH net, 2/2] net: mana: Fix accessing freed irq affinity_hint
Date: Thu, 26 Jan 2023 13:04:45 -0800 [thread overview]
Message-ID: <1674767085-18583-3-git-send-email-haiyangz@microsoft.com> (raw)
In-Reply-To: <1674767085-18583-1-git-send-email-haiyangz@microsoft.com>
After calling irq_set_affinity_and_hint(), the cpumask pointer is
saved in desc->affinity_hint, and will be used later when reading
/proc/irq/<num>/affinity_hint. So the cpumask variable needs to be
allocated per irq, and available until freeing the irq. Otherwise,
we are accessing freed memory when reading the affinity_hint file.
To fix the bug, allocate the cpumask per irq, and free it just
before freeing the irq.
Cc: stable@vger.kernel.org
Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
---
.../net/ethernet/microsoft/mana/gdma_main.c | 40 ++++++++++---------
include/net/mana/gdma.h | 1 +
2 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index 3bae9d4c1f08..37473ae3859c 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -1219,7 +1219,6 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
struct gdma_irq_context *gic;
unsigned int max_irqs;
u16 *cpus;
- cpumask_var_t req_mask;
int nvec, irq;
int err, i = 0, j;
@@ -1240,25 +1239,26 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
goto free_irq_vector;
}
- if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) {
- err = -ENOMEM;
- goto free_irq;
- }
-
cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL);
if (!cpus) {
err = -ENOMEM;
- goto free_mask;
+ goto free_gic;
}
for (i = 0; i < nvec; i++)
cpus[i] = cpumask_local_spread(i, gc->numa_node);
for (i = 0; i < nvec; i++) {
- cpumask_set_cpu(cpus[i], req_mask);
gic = &gc->irq_contexts[i];
gic->handler = NULL;
gic->arg = NULL;
+ if (!zalloc_cpumask_var(&gic->cpu_hint, GFP_KERNEL)) {
+ err = -ENOMEM;
+ goto free_irq;
+ }
+
+ cpumask_set_cpu(cpus[i], gic->cpu_hint);
+
if (!i)
snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_hwc@pci:%s",
pci_name(pdev));
@@ -1269,17 +1269,18 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
irq = pci_irq_vector(pdev, i);
if (irq < 0) {
err = irq;
- goto free_mask;
+ free_cpumask_var(gic->cpu_hint);
+ goto free_irq;
}
err = request_irq(irq, mana_gd_intr, 0, gic->name, gic);
- if (err)
- goto free_mask;
- irq_set_affinity_and_hint(irq, req_mask);
- cpumask_clear(req_mask);
+ if (err) {
+ free_cpumask_var(gic->cpu_hint);
+ goto free_irq;
+ }
+
+ irq_set_affinity_and_hint(irq, gic->cpu_hint);
}
- free_cpumask_var(req_mask);
- kfree(cpus);
err = mana_gd_alloc_res_map(nvec, &gc->msix_resource);
if (err)
@@ -1288,20 +1289,22 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
gc->max_num_msix = nvec;
gc->num_msix_usable = nvec;
+ kfree(cpus);
return 0;
-free_mask:
- free_cpumask_var(req_mask);
- kfree(cpus);
free_irq:
for (j = i - 1; j >= 0; j--) {
irq = pci_irq_vector(pdev, j);
gic = &gc->irq_contexts[j];
irq_update_affinity_hint(irq, NULL);
+ free_cpumask_var(gic->cpu_hint);
free_irq(irq, gic);
}
+ kfree(cpus);
+
+free_gic:
kfree(gc->irq_contexts);
gc->irq_contexts = NULL;
free_irq_vector:
@@ -1329,6 +1332,7 @@ static void mana_gd_remove_irqs(struct pci_dev *pdev)
/* Need to clear the hint before free_irq */
irq_update_affinity_hint(irq, NULL);
+ free_cpumask_var(gic->cpu_hint);
free_irq(irq, gic);
}
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index 56189e4252da..4dcafecbd89e 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -342,6 +342,7 @@ struct gdma_irq_context {
void (*handler)(void *arg);
void *arg;
char name[MANA_IRQ_NAME_SZ];
+ cpumask_var_t cpu_hint;
};
struct gdma_context {
--
2.25.1
next prev parent reply other threads:[~2023-01-26 21:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 21:04 [PATCH net, 0/2] Fix usage of irq affinity_hint Haiyang Zhang
2023-01-26 21:04 ` [PATCH net, 1/2] net: mana: Fix hint value before free irq Haiyang Zhang
2023-01-29 9:27 ` Leon Romanovsky
2023-01-29 18:51 ` Haiyang Zhang
2023-01-29 14:26 ` Michael Kelley (LINUX)
2023-01-29 18:54 ` Haiyang Zhang
2023-01-26 21:04 ` Haiyang Zhang [this message]
2023-01-29 9:35 ` [PATCH net, 2/2] net: mana: Fix accessing freed irq affinity_hint Leon Romanovsky
2023-01-29 14:26 ` Michael Kelley (LINUX)
2023-01-29 18:51 ` Haiyang Zhang
2023-01-29 19:05 ` Haiyang Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1674767085-18583-3-git-send-email-haiyangz@microsoft.com \
--to=haiyangz@microsoft.com \
--cc=davem@davemloft.net \
--cc=decui@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olaf@aepfle.de \
--cc=paulros@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=vkuznets@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).