From: Netanel Belgazal <netanel@annapurnalabs.com>
To: linux-kernel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org
Cc: Netanel Belgazal <netanel@annapurnalabs.com>,
dwmw@amazon.com, zorik@annapurnalabs.com, alex@annapurnalabs.com,
saeed@annapurnalabs.com, msw@amazon.com, aliguori@amazon.com,
nafea@annapurnalabs.com, eric.dumazet@gmail.com
Subject: [PATCH V3 net-next 06/14] net/ena: fix NULL dereference when removing the driver after device reset failed
Date: Fri, 27 Jan 2017 00:18:08 +0200 [thread overview]
Message-ID: <1485469096-5271-7-git-send-email-netanel@annapurnalabs.com> (raw)
In-Reply-To: <1485469096-5271-1-git-send-email-netanel@annapurnalabs.com>
If for some reason the device stops responding, and the device reset
failes to recover the device, the mmio register read data structure
will not be reinitialized.
On driver removal, the driver will also try to reset the device, but
this time the mmio data structure will be NULL.
To solve this issue, perform the device reset in the remove function
only if the device is runnig.
Crash log
54.240382] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 54.244186] IP: [<ffffffffc067de5a>] ena_com_reg_bar_read32+0x8a/0x180 [ena_drv]
[ 54.244186] PGD 0
[ 54.244186] Oops: 0002 [#1] SMP
[ 54.244186] Modules linked in: ena_drv(OE-) snd_hda_codec_generic kvm_intel kvm crct10dif_pclmul ppdev crc32_pclmul ghash_clmulni_intel aesni_intel snd_hda_intel aes_x86_64 snd_hda_controller lrw gf128mul cirrus glue_helper ablk_helper ttm snd_hda_codec drm_kms_helper cryptd snd_hwdep drm snd_pcm pvpanic snd_timer syscopyarea sysfillrect snd parport_pc sysimgblt serio_raw soundcore i2c_piix4 mac_hid lp parport psmouse floppy
[ 54.244186] CPU: 5 PID: 1841 Comm: rmmod Tainted: G OE 3.16.0-031600-generic #201408031935
[ 54.244186] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 54.244186] task: ffff880135852880 ti: ffff8800bb640000 task.ti: ffff8800bb640000
[ 54.244186] RIP: 0010:[<ffffffffc067de5a>] [<ffffffffc067de5a>] ena_com_reg_bar_read32+0x8a/0x180 [ena_drv]
[ 54.244186] RSP: 0018:ffff8800bb643d50 EFLAGS: 00010083
[ 54.244186] RAX: 000000000000deb0 RBX: 0000000000030d40 RCX: 0000000000000003
[ 54.244186] RDX: 0000000000000202 RSI: 0000000000000058 RDI: ffffc90000775104
[ 54.244186] RBP: ffff8800bb643d88 R08: 0000000000000000 R09: cf00000000000000
[ 54.244186] R10: 0000000fffffffe0 R11: 0000000000000001 R12: 0000000000000000
[ 54.244186] R13: ffffc90000765000 R14: ffffc90000775104 R15: 00007fca1fa98090
[ 54.244186] FS: 00007fca1f1bd740(0000) GS:ffff88013fd40000(0000) knlGS:0000000000000000
[ 54.244186] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.244186] CR2: 0000000000000000 CR3: 00000000b9cf6000 CR4: 00000000001406e0
[ 54.244186] Stack:
[ 54.244186] 0000000000000202 0000005800000286 ffffc90000765000 ffffc90000765000
[ 54.244186] ffff880135f6b000 ffff8800b9360000 00007fca1fa98090 ffff8800bb643db8
[ 54.244186] ffffffffc0680b3d ffff8800b93608c0 ffffc90000765000 ffff880135f6b000
[ 54.244186] Call Trace:
[ 54.244186] [<ffffffffc0680b3d>] ena_com_dev_reset+0x1d/0x1b0 [ena_drv]
[ 54.244186] [<ffffffffc0678497>] ena_remove+0xa7/0x130 [ena_drv]
[ 54.244186] [<ffffffff813d4df6>] pci_device_remove+0x46/0xc0
[ 54.244186] [<ffffffff814c3b7f>] __device_release_driver+0x7f/0xf0
[ 54.244186] [<ffffffff814c4738>] driver_detach+0xc8/0xd0
[ 54.244186] [<ffffffff814c3969>] bus_remove_driver+0x59/0xd0
[ 54.244186] [<ffffffff814c4fde>] driver_unregister+0x2e/0x60
[ 54.244186] [<ffffffff810f0a80>] ? show_refcnt+0x40/0x40
[ 54.244186] [<ffffffff813d4ec3>] pci_unregister_driver+0x23/0xa0
[ 54.244186] [<ffffffffc068413f>] ena_cleanup+0x10/0xed1 [ena_drv]
[ 54.244186] [<ffffffff810f3a47>] SyS_delete_module+0x157/0x1e0
[ 54.244186] [<ffffffff81014fb7>] ? do_notify_resume+0xc7/0xd0
[ 54.244186] [<ffffffff81793fad>] system_call_fastpath+0x1a/0x1f
[ 54.244186] Code: c3 4d 8d b5 04 01 01 00 4c 89 f7 e8 e1 5a 11 c1 48 89 45 c8 41 0f b7 85 00 01 01 00 8d 48 01 66 2d 52 21 66 41 89 8d 00 01 01 00 <66> 41 89 04 24 0f b7 45 d4 89 45 d0 89 c1 41 0f b7 85 00 01 01
[ 54.244186] RIP [<ffffffffc067de5a>] ena_com_reg_bar_read32+0x8a/0x180 [ena_drv]
[ 54.244186] RSP <ffff8800bb643d50>
[ 54.244186] CR2: 0000000000000000
[ 54.244186] ---[ end trace 18dd9889b6497810 ]---
Signed-off-by: Netanel Belgazal <netanel@annapurnalabs.com>
---
drivers/net/ethernet/amazon/ena/ena_netdev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index f409cfd..639f0aa 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -2509,6 +2509,8 @@ static void ena_fw_reset_device(struct work_struct *work)
err:
rtnl_unlock();
+ clear_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags);
+
dev_err(&pdev->dev,
"Reset attempt failed. Can not reset the device\n");
}
@@ -3118,7 +3120,9 @@ static void ena_remove(struct pci_dev *pdev)
cancel_work_sync(&adapter->resume_io_task);
- ena_com_dev_reset(ena_dev);
+ /* Reset the device only if the device is running. */
+ if (test_bit(ENA_FLAG_DEVICE_RUNNING, &adapter->flags))
+ ena_com_dev_reset(ena_dev);
ena_free_mgmnt_irq(adapter);
--
2.7.4
next prev parent reply other threads:[~2017-01-26 22:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 22:18 [PATCH V3 net-next 00/14] Bug Fixes in ENA driver Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 01/14] net/ena: remove ntuple filter support from device feature list Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 02/14] net/ena: fix error handling when probe fails Netanel Belgazal
2017-01-27 23:33 ` Lino Sanfilippo
2017-01-31 22:14 ` Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 03/14] net/ena: fix queues number calculation Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 04/14] net/ena: fix ethtool RSS flow configuration Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 05/14] net/ena: fix RSS default hash configuration Netanel Belgazal
2017-01-26 22:18 ` Netanel Belgazal [this message]
2017-01-26 22:18 ` [PATCH V3 net-next 07/14] net/ena: refactor ena_get_stats64 to be atomic context safe Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 08/14] net/ena: fix potential access to freed memory during device reset Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 09/14] net/ena: use napi_complete_done() return value Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 10/14] net/ena: use READ_ONCE to access completion descriptors Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 11/14] net/ena: reduce the severity of ena printouts Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 12/14] net/ena: change driver's default timeouts Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 13/14] net/ena: change condition for host attribute configuration Netanel Belgazal
2017-01-26 22:18 ` [PATCH V3 net-next 14/14] net/ena: update driver version to 1.1.2 Netanel Belgazal
2017-01-27 16:07 ` [PATCH V3 net-next 00/14] Bug Fixes in ENA driver David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1485469096-5271-7-git-send-email-netanel@annapurnalabs.com \
--to=netanel@annapurnalabs.com \
--cc=alex@annapurnalabs.com \
--cc=aliguori@amazon.com \
--cc=davem@davemloft.net \
--cc=dwmw@amazon.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=msw@amazon.com \
--cc=nafea@annapurnalabs.com \
--cc=netdev@vger.kernel.org \
--cc=saeed@annapurnalabs.com \
--cc=zorik@annapurnalabs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).