[PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X

Linux RDMA and InfiniBand development
 help / color / mirror / Atom feed

* [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X
@ 2025-04-14 23:42 Tatyana Nikolova
  2025-04-14 23:42 ` [PATCH for-rc 2/2] ice, irdma: fix an off by one in error handling code Tatyana Nikolova
  2025-04-20 10:56 ` [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Leon Romanovsky
  0 siblings, 2 replies; 3+ messages in thread
From: Tatyana Nikolova @ 2025-04-14 23:42 UTC (permalink / raw)
  To: jgg, leon; +Cc: linux-rdma, Michal Swiatkowski, Marcin Szycik, Tatyana Nikolova

From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>

Currently iwdev->rf is allocated in irdma_probe(), but free in
irdma_ib_dealloc_device(). It can be misleading. Move the free to
irdma_remove() to be more obvious.

Freeing in irdma_ib_dealloc_device() leads to KASAN use-after-free
issue. Which can also lead to NULL pointer dereference. Fix this.

irdma_deinit_interrupts() can't be moved before freeing iwdef->rf,
because in this case deinit interrupts will be done before freeing irqs.
The simplest solution is to move kfree(iwdev->rf) to irdma_remove().

Reproducer:
  sudo rmmod irdma

Minified splat(s):
  BUG: KASAN: use-after-free in irdma_remove+0x257/0x2d0 [irdma]
  Call Trace:
   <TASK>
   ? __pfx__raw_spin_lock_irqsave+0x10/0x10
   ? kfree+0x253/0x450
   ? irdma_remove+0x257/0x2d0 [irdma]
   kasan_report+0xed/0x120
   ? irdma_remove+0x257/0x2d0 [irdma]
   irdma_remove+0x257/0x2d0 [irdma]
   auxiliary_bus_remove+0x56/0x80
   device_release_driver_internal+0x371/0x530
   ? kernfs_put.part.0+0x147/0x310
   driver_detach+0xbf/0x180
   bus_remove_driver+0x11b/0x2a0
   auxiliary_driver_unregister+0x1a/0x50
   irdma_exit_module+0x40/0x4c [irdma]

  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:ice_free_rdma_qvector+0x2a/0xa0 [ice]
  Call Trace:
   ? ice_free_rdma_qvector+0x2a/0xa0 [ice]
   irdma_remove+0x179/0x2d0 [irdma]
   auxiliary_bus_remove+0x56/0x80
   device_release_driver_internal+0x371/0x530
   ? kobject_put+0x61/0x4b0
   driver_detach+0xbf/0x180
   bus_remove_driver+0x11b/0x2a0
   auxiliary_driver_unregister+0x1a/0x50
   irdma_exit_module+0x40/0x4c [irdma]

Reported-by: Marcin Szycik <marcin.szycik@linux.intel.com>
Closes: https://lore.kernel.org/netdev/8e533834-4564-472f-b29b-4f1cb7730053@linux.intel.com/
Fixes: 3e0d3cb3fbe0 ("ice, irdma: move interrupts code to irdma")
Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
 drivers/infiniband/hw/irdma/main.c  | 2 ++
 drivers/infiniband/hw/irdma/verbs.c | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/irdma/main.c b/drivers/infiniband/hw/irdma/main.c
index 1ee8969595d3..d10fd16dcec3 100644
--- a/drivers/infiniband/hw/irdma/main.c
+++ b/drivers/infiniband/hw/irdma/main.c
@@ -255,6 +255,8 @@ static void irdma_remove(struct auxiliary_device *aux_dev)
 	ice_rdma_update_vsi_filter(pf, iwdev->vsi_num, false);
 	irdma_deinit_interrupts(iwdev->rf, pf);

+	kfree(iwdev->rf);
+
 	pr_debug("INIT: Gen2 PF[%d] device remove success\n", PCI_FUNC(pf->pdev->devfn));
 }

diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index eeb932e58730..1e8c92826de2 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -4871,5 +4871,4 @@ void irdma_ib_dealloc_device(struct ib_device *ibdev)

 	irdma_rt_deinit_hw(iwdev);
 	irdma_ctrl_deinit_hw(iwdev->rf);
-	kfree(iwdev->rf);
 }
-- 
2.31.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH for-rc 2/2] ice, irdma: fix an off by one in error handling code
  2025-04-14 23:42 [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Tatyana Nikolova
@ 2025-04-14 23:42 ` Tatyana Nikolova
  2025-04-20 10:56 ` [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Leon Romanovsky
  1 sibling, 0 replies; 3+ messages in thread
From: Tatyana Nikolova @ 2025-04-14 23:42 UTC (permalink / raw)
  To: jgg, leon; +Cc: linux-rdma, Dan Carpenter, Tatyana Nikolova

From: Dan Carpenter <dan.carpenter@linaro.org>

If we don't allocate the MIN number of IRQs then we need to free what
we have and return -ENOMEM.  The problem is this loop is off by one
so it frees an entry that wasn't allocated and it doesn't free the
first entry where i == 0.

Fixes: 3e0d3cb3fbe0 ("ice, irdma: move interrupts code to irdma")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
---
 drivers/infiniband/hw/irdma/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/irdma/main.c b/drivers/infiniband/hw/irdma/main.c
index d10fd16dcec3..7599e31b5743 100644
--- a/drivers/infiniband/hw/irdma/main.c
+++ b/drivers/infiniband/hw/irdma/main.c
@@ -221,7 +221,7 @@ static int irdma_init_interrupts(struct irdma_pci_f *rf, struct ice_pf *pf)
 			break;
 
 	if (i < IRDMA_MIN_MSIX) {
-		for (; i > 0; i--)
+		while (--i >= 0)
 			ice_free_rdma_qvector(pf, &rf->msix_entries[i]);
 
 		kfree(rf->msix_entries);
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X
  2025-04-14 23:42 [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Tatyana Nikolova
  2025-04-14 23:42 ` [PATCH for-rc 2/2] ice, irdma: fix an off by one in error handling code Tatyana Nikolova
@ 2025-04-20 10:56 ` Leon Romanovsky
  1 sibling, 0 replies; 3+ messages in thread
From: Leon Romanovsky @ 2025-04-20 10:56 UTC (permalink / raw)
  To: Jason Gunthorpe, Tatyana Nikolova
  Cc: linux-rdma, Michal Swiatkowski, Marcin Szycik


On Mon, 14 Apr 2025 18:42:30 -0500, Tatyana Nikolova wrote:
> Currently iwdev->rf is allocated in irdma_probe(), but free in
> irdma_ib_dealloc_device(). It can be misleading. Move the free to
> irdma_remove() to be more obvious.
> 
> Freeing in irdma_ib_dealloc_device() leads to KASAN use-after-free
> issue. Which can also lead to NULL pointer dereference. Fix this.
> 
> [...]

Applied, thanks!

[1/2] irdma: free iwdev->rf after removing MSI-X
      https://git.kernel.org/rdma/rdma/c/80f2ab46c2ee16
[2/2] ice, irdma: fix an off by one in error handling code
      https://git.kernel.org/rdma/rdma/c/4bcc063939a560

Best regards,
-- 
Leon Romanovsky <leon@kernel.org>


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-04-20 10:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-14 23:42 [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Tatyana Nikolova
2025-04-14 23:42 ` [PATCH for-rc 2/2] ice, irdma: fix an off by one in error handling code Tatyana Nikolova
2025-04-20 10:56 ` [PATCH for-rc 1/2] irdma: free iwdev->rf after removing MSI-X Leon Romanovsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox