From: Eric Joyner <eric.joyner@amd.com>
To: <netdev@vger.kernel.org>
Cc: Brett Creeley <brett.creeley@amd.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Joyner <eric.joyner@amd.com>
Subject: [PATCH net 5/7] ionic: fix adminq use-after-free on command timeout
Date: Wed, 29 Apr 2026 14:00:05 -0700 [thread overview]
Message-ID: <20260429210007.40015-6-eric.joyner@amd.com> (raw)
In-Reply-To: <20260429210007.40015-1-eric.joyner@amd.com>
From: Brett Creeley <brett.creeley@amd.com>
When ionic_adminq_wait() times out or detects FW reset, it
returns an error to the caller, whose ionic_admin_ctx is typically
on the stack. However, desc_info->ctx in the adminq still points
to that ctx. If ionic_adminq_service() later runs in NAPI context,
it dereferences the stale pointer to copy the completion and call
complete_all(), causing a use-after-free.
The timeout path partially addressed this via ionic_adminq_flush()
in ionic_adminq_check_err(), which NULLs all pending desc_info->ctx
entries. But there is a race window between the timeout detection
and the flush where NAPI could fire and access the stale ctx. The
FW reset path had no protection at all and returned directly
without clearing desc_info->ctx.
Add ionic_adminq_cancel() which takes adminq_lock and NULLs
desc_info->ctx for the specific context being cancelled. This
coordinates with ionic_adminq_service() which also runs under the
same lock. Call it from both error paths in ionic_adminq_wait()
before returning.
Fixes: 938962d55229 ("ionic: Add adminq action")
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: Eric Joyner <eric.joyner@amd.com>
---
.../net/ethernet/pensando/ionic/ionic_main.c | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
index 810cef0fec93..0971ca4d6650 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
@@ -190,6 +190,32 @@ static const char *ionic_opcode_to_str(enum ionic_cmd_opcode opcode)
}
}
+static void ionic_adminq_cancel(struct ionic_lif *lif,
+ struct ionic_admin_ctx *ctx)
+{
+ struct ionic_admin_desc_info *desc_info;
+ unsigned long irqflags;
+ struct ionic_queue *q;
+ int i;
+
+ spin_lock_irqsave(&lif->adminq_lock, irqflags);
+ if (!lif->adminqcq) {
+ spin_unlock_irqrestore(&lif->adminq_lock, irqflags);
+ return;
+ }
+
+ q = &lif->adminqcq->q;
+
+ for (i = 0; i < q->num_descs; i++) {
+ desc_info = &q->admin_info[i];
+ if (desc_info->ctx == ctx) {
+ desc_info->ctx = NULL;
+ break;
+ }
+ }
+ spin_unlock_irqrestore(&lif->adminq_lock, irqflags);
+}
+
static void ionic_adminq_flush(struct ionic_lif *lif)
{
struct ionic_admin_desc_info *desc_info;
@@ -448,6 +474,7 @@ int ionic_adminq_wait(struct ionic_lif *lif, struct ionic_admin_ctx *ctx,
if (do_msg)
netdev_warn(netdev, "%s (%d) interrupted, FW in reset\n",
name, ctx->cmd.cmd.opcode);
+ ionic_adminq_cancel(lif, ctx);
ctx->comp.comp.status = IONIC_RC_ERROR;
return -ENXIO;
}
@@ -458,6 +485,9 @@ int ionic_adminq_wait(struct ionic_lif *lif, struct ionic_admin_ctx *ctx,
dev_dbg(lif->ionic->dev, "%s: elapsed %d msecs\n",
__func__, jiffies_to_msecs(time_done - time_start));
+ if (time_after_eq(time_done, time_limit))
+ ionic_adminq_cancel(lif, ctx);
+
return ionic_adminq_check_err(lif, ctx,
time_after_eq(time_done, time_limit),
do_msg);
--
2.17.1
next prev parent reply other threads:[~2026-04-29 21:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 21:00 [PATCH net 0/7] ionic: Various bugfixes Eric Joyner
2026-04-29 21:00 ` [PATCH net 1/7] ionic: Allow the first devcmd to trigger deferred probe Eric Joyner
2026-04-29 21:00 ` [PATCH net 2/7] ionic: Handle failures from ionic_reset() when relevant Eric Joyner
2026-04-29 21:00 ` [PATCH net 3/7] ionic: Fix unexpected dev_cmd failures Eric Joyner
2026-04-29 21:00 ` [PATCH net 4/7] ionic: Fix check in ionic_get_link_ext_stats Eric Joyner
2026-04-29 21:00 ` Eric Joyner [this message]
2026-05-01 3:31 ` [PATCH net 5/7] ionic: fix adminq use-after-free on command timeout Eric Joyner
2026-04-29 21:00 ` [PATCH net 6/7] ionic: service adminq CQ before cancelling to avoid false timeouts Eric Joyner
2026-04-29 21:00 ` [PATCH net 7/7] ionic: fix completion descriptor access with 2x desc size Eric Joyner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429210007.40015-6-eric.joyner@amd.com \
--to=eric.joyner@amd.com \
--cc=andrew+netdev@lunn.ch \
--cc=brett.creeley@amd.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox