From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Maor Dickman <maord@nvidia.com>,
Roi Dayan <roid@nvidia.com>, Saeed Mahameed <saeedm@nvidia.com>
Subject: [PATCH 5.15 14/32] net/mlx5e: Fix handling of wrong devices during bond netevent
Date: Fri, 4 Feb 2022 10:22:24 +0100 [thread overview]
Message-ID: <20220204091915.732532366@linuxfoundation.org> (raw)
In-Reply-To: <20220204091915.247906930@linuxfoundation.org>
From: Maor Dickman <maord@nvidia.com>
commit ec41332e02bd0acf1f24206867bb6a02f5877a62 upstream.
Current implementation of bond netevent handler only check if
the handled netdev is VF representor and it missing a check if
the VF representor is on the same phys device of the bond handling
the netevent.
Fix by adding the missing check and optimizing the check if
the netdev is VF representor so it will not access uninitialized
private data and crashes.
BUG: kernel NULL pointer dereference, address: 000000000000036c
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
Workqueue: eth3bond0 bond_mii_monitor [bonding]
RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core]
RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000
RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880
RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008
R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10
R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core]
mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core]
mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core]
raw_notifier_call_chain+0x41/0x60
call_netdevice_notifiers_info+0x34/0x80
netdev_lower_state_changed+0x4e/0xa0
bond_mii_monitor+0x56b/0x640 [bonding]
process_one_work+0x1b9/0x390
worker_thread+0x4d/0x3d0
? rescuer_thread+0x350/0x350
kthread+0x124/0x150
? set_kthread_struct+0x40/0x40
ret_from_fork+0x1f/0x30
Fixes: 7e51891a237f ("net/mlx5e: Use netdev events to set/del egress acl forward-to-vport rule")
Signed-off-by: Maor Dickman <maord@nvidia.com>
Reviewed-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c | 32 +++++++-----------
1 file changed, 14 insertions(+), 18 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c
@@ -183,18 +183,7 @@ void mlx5e_rep_bond_unslave(struct mlx5_
static bool mlx5e_rep_is_lag_netdev(struct net_device *netdev)
{
- struct mlx5e_rep_priv *rpriv;
- struct mlx5e_priv *priv;
-
- /* A given netdev is not a representor or not a slave of LAG configuration */
- if (!mlx5e_eswitch_rep(netdev) || !netif_is_lag_port(netdev))
- return false;
-
- priv = netdev_priv(netdev);
- rpriv = priv->ppriv;
-
- /* Egress acl forward to vport is supported only non-uplink representor */
- return rpriv->rep->vport != MLX5_VPORT_UPLINK;
+ return netif_is_lag_port(netdev) && mlx5e_eswitch_vf_rep(netdev);
}
static void mlx5e_rep_changelowerstate_event(struct net_device *netdev, void *ptr)
@@ -210,9 +199,6 @@ static void mlx5e_rep_changelowerstate_e
u16 fwd_vport_num;
int err;
- if (!mlx5e_rep_is_lag_netdev(netdev))
- return;
-
info = ptr;
lag_info = info->lower_state_info;
/* This is not an event of a representor becoming active slave */
@@ -266,9 +252,6 @@ static void mlx5e_rep_changeupper_event(
struct net_device *lag_dev;
struct mlx5e_priv *priv;
- if (!mlx5e_rep_is_lag_netdev(netdev))
- return;
-
priv = netdev_priv(netdev);
rpriv = priv->ppriv;
lag_dev = info->upper_dev;
@@ -293,6 +276,19 @@ static int mlx5e_rep_esw_bond_netevent(s
unsigned long event, void *ptr)
{
struct net_device *netdev = netdev_notifier_info_to_dev(ptr);
+ struct mlx5e_rep_priv *rpriv;
+ struct mlx5e_rep_bond *bond;
+ struct mlx5e_priv *priv;
+
+ if (!mlx5e_rep_is_lag_netdev(netdev))
+ return NOTIFY_DONE;
+
+ bond = container_of(nb, struct mlx5e_rep_bond, nb);
+ priv = netdev_priv(netdev);
+ rpriv = mlx5_eswitch_get_uplink_priv(priv->mdev->priv.eswitch, REP_ETH);
+ /* Verify VF representor is on the same device of the bond handling the netevent. */
+ if (rpriv->uplink_priv.bond != bond)
+ return NOTIFY_DONE;
switch (event) {
case NETDEV_CHANGELOWERSTATE:
next prev parent reply other threads:[~2022-02-04 9:24 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-04 9:22 [PATCH 5.15 00/32] 5.15.20-rc1 review Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 01/32] PCI: pciehp: Fix infinite loop in IRQ handler upon power fault Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 02/32] selftests: mptcp: fix ipv6 routing setup Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 03/32] net: ipa: use a bitmap for endpoint replenish_enabled Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 04/32] net: ipa: prevent concurrent replenish Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 05/32] drm/vc4: hdmi: Make sure the device is powered with CEC Greg Kroah-Hartman
2022-02-05 17:12 ` Guenter Roeck
2022-02-05 17:56 ` Greg Kroah-Hartman
2022-02-05 18:41 ` Guenter Roeck
2022-02-06 12:09 ` Greg Kroah-Hartman
2022-02-06 17:32 ` Guenter Roeck
2022-02-04 9:22 ` [PATCH 5.15 06/32] cgroup-v1: Require capabilities to set release_agent Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 07/32] Revert "mm/gup: small refactoring: simplify try_grab_page()" Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 08/32] ovl: dont fail copy up if no fileattr support on upper Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 09/32] lockd: fix server crash on reboot of client holding lock Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 10/32] lockd: fix failure to cleanup client locks Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 11/32] net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 12/32] net/mlx5: Bridge, take rtnl lock in init error handler Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 13/32] net/mlx5: Bridge, ensure dev_name is null-terminated Greg Kroah-Hartman
2022-02-04 9:22 ` Greg Kroah-Hartman [this message]
2022-02-04 9:22 ` [PATCH 5.15 15/32] net/mlx5: Use del_timer_sync in fw reset flow of halting poll Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 16/32] net/mlx5e: Fix module EEPROM query Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 17/32] net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 18/32] net/mlx5e: Dont treat small ceil values as unlimited in HTB offload Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 19/32] net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 20/32] net/mlx5: E-Switch, Fix uninitialized variable modact Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 21/32] ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 22/32] i40e: Fix reset bw limit when DCB enabled with 1 TC Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 23/32] i40e: Fix reset path while removing the driver Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 24/32] net: amd-xgbe: ensure to reset the tx_timer_active flag Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 25/32] net: amd-xgbe: Fix skb data length underflow Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 26/32] fanotify: Fix stale file descriptor in copy_event_to_user() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 27/32] net: sched: fix use-after-free in tc_new_tfilter() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 28/32] rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 29/32] cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 30/32] e1000e: Handshake with CSME starts from ADL platforms Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 31/32] af_packet: fix data-race in packet_setsockopt / packet_setsockopt Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.15 32/32] tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data() Greg Kroah-Hartman
2022-02-04 12:21 ` [PATCH 5.15 00/32] 5.15.20-rc1 review Bagas Sanjaya
2022-02-04 17:48 ` Florian Fainelli
2022-02-04 20:31 ` Shuah Khan
2022-02-04 21:08 ` Guenter Roeck
2022-02-04 22:42 ` Ron Economos
2022-02-04 23:04 ` Justin Forbes
2022-02-05 0:18 ` Fox Chen
2022-02-05 5:07 ` Slade Watkins
2022-02-05 6:51 ` Naresh Kamboju
2022-02-05 14:32 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220204091915.732532366@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maord@nvidia.com \
--cc=roid@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox