From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Feng Zhou <zhoufeng.zf@bytedance.com>,
Sandeep Penigalapati <sandeep.penigalapati@intel.com>,
Tony Nguyen <anthony.l.nguyen@intel.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 55/93] ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup
Date: Mon, 4 Oct 2021 14:52:53 +0200 [thread overview]
Message-ID: <20211004125036.392235979@linuxfoundation.org> (raw)
In-Reply-To: <20211004125034.579439135@linuxfoundation.org>
From: Feng Zhou <zhoufeng.zf@bytedance.com>
[ Upstream commit 513e605d7a9ce136886cb42ebb2c40e9a6eb6333 ]
The ixgbe driver currently generates a NULL pointer dereference with
some machine (online cpus < 63). This is due to the fact that the
maximum value of num_xdp_queues is nr_cpu_ids. Code is in
"ixgbe_set_rss_queues"".
Here's how the problem repeats itself:
Some machine (online cpus < 63), And user set num_queues to 63 through
ethtool. Code is in the "ixgbe_set_channels",
adapter->ring_feature[RING_F_FDIR].limit = count;
It becomes 63.
When user use xdp, "ixgbe_set_rss_queues" will set queues num.
adapter->num_rx_queues = rss_i;
adapter->num_tx_queues = rss_i;
adapter->num_xdp_queues = ixgbe_xdp_queues(adapter);
And rss_i's value is from
f = &adapter->ring_feature[RING_F_FDIR];
rss_i = f->indices = f->limit;
So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup",
for (i = 0; i < adapter->num_rx_queues; i++)
if (adapter->xdp_ring[i]->xsk_umem)
It leads to panic.
Call trace:
[exception RIP: ixgbe_xdp+368]
RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90
RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000
R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000
R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc
8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808
9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235
10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384
11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd
12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb
13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88
14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319
15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290
16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8
17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64
18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9
19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c
So I fix ixgbe_max_channels so that it will not allow a setting of queues
to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,
take the smaller value of num_rx_queues and num_xdp_queues.
Fixes: 4a9b32f30f80 ("ixgbe: fix potential RX buffer starvation for AF_XDP")
Signed-off-by: Feng Zhou <zhoufeng.zf@bytedance.com>
Tested-by: Sandeep Penigalapati <sandeep.penigalapati@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
index a280aa34ca1d..55983904b6df 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
@@ -3216,7 +3216,7 @@ static unsigned int ixgbe_max_channels(struct ixgbe_adapter *adapter)
max_combined = ixgbe_max_rss_indices(adapter);
}
- return max_combined;
+ return min_t(int, max_combined, num_online_cpus());
}
static void ixgbe_get_channels(struct net_device *dev,
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 37439b76fcb5..ffe322136c58 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -10123,6 +10123,7 @@ static int ixgbe_xdp_setup(struct net_device *dev, struct bpf_prog *prog)
struct ixgbe_adapter *adapter = netdev_priv(dev);
struct bpf_prog *old_prog;
bool need_reset;
+ int num_queues;
if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED)
return -EINVAL;
@@ -10172,11 +10173,14 @@ static int ixgbe_xdp_setup(struct net_device *dev, struct bpf_prog *prog)
/* Kick start the NAPI context if there is an AF_XDP socket open
* on that queue id. This so that receiving will start.
*/
- if (need_reset && prog)
- for (i = 0; i < adapter->num_rx_queues; i++)
+ if (need_reset && prog) {
+ num_queues = min_t(int, adapter->num_rx_queues,
+ adapter->num_xdp_queues);
+ for (i = 0; i < num_queues; i++)
if (adapter->xdp_ring[i]->xsk_pool)
(void)ixgbe_xsk_wakeup(adapter->netdev, i,
XDP_WAKEUP_RX);
+ }
return 0;
}
--
2.33.0
next prev parent reply other threads:[~2021-10-04 13:24 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 12:51 [PATCH 5.10 00/93] 5.10.71-rc1 review Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 5.10 01/93] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 02/93] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 03/93] scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 04/93] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 05/93] usb: cdns3: fix race condition before setting doorbell Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 06/93] ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 07/93] ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 08/93] fs-verity: fix signed integer overflow with i_size near S64_MAX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 09/93] hwmon: (tmp421) handle I2C errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 10/93] hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 11/93] hwmon: (w83792d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 12/93] hwmon: (w83791d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 13/93] gpio: pca953x: do not ignore i2c errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 14/93] scsi: ufs: Fix illegal offset in UPIU event trace Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 15/93] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 16/93] x86/kvmclock: Move this_cpu_pvti into kvmclock.h Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 17/93] KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 18/93] KVM: x86: nSVM: dont copy virt_ext from vmcb12 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 19/93] KVM: nVMX: Filter out all unsupported controls when eVMCS was activated Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 20/93] KVM: rseq: Update rseq when processing NOTIFY_RESUME on xfer to KVM guest Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 21/93] media: ir_toy: prevent device from hanging during transmit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 22/93] RDMA/cma: Do not change route.addr.src_addr.ss_family Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 23/93] drm/amd/display: Pass PCI deviceid into DC Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 24/93] drm/amdgpu: correct initial cp_hqd_quantum for gfx9 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 25/93] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 26/93] bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 27/93] IB/cma: Do not send IGMP leaves for sendonly Multicast groups Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 28/93] RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 29/93] bpf, mips: Validate conditional branch offsets Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 30/93] hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 31/93] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 32/93] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 33/93] mac80211: mesh: fix potentially unaligned access Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 34/93] mac80211-hwsim: fix late beacon hrtimer handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 35/93] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 36/93] mptcp: dont return sockets in foreign netns Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 37/93] hwmon: (tmp421) report /PVLD condition as fault Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 38/93] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 39/93] net: enetc: fix the incorrect clearing of IF_MODE bits Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 40/93] net: ipv4: Fix rtnexthop len when RTA_FLOW is present Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 41/93] smsc95xx: fix stalled rx after link change Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 42/93] drm/i915/request: fix early tracepoints Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 43/93] dsa: mv88e6xxx: 6161: Use chip wide MAX MTU Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 44/93] dsa: mv88e6xxx: Fix MTU definition Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 45/93] dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 46/93] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 47/93] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 48/93] RDMA/hns: Fix inaccurate prints Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 49/93] bpf: Exempt CAP_BPF from checks against bpf_jit_limit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 50/93] selftests, bpf: Fix makefile dependencies on libbpf Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 51/93] selftests, bpf: test_lwt_ip_encap: Really disable rp_filter Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 52/93] net: ks8851: fix link error Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 53/93] Revert "block, bfq: honor already-setup queue merges" Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 54/93] scsi: csiostor: Add module softdep on cxgb4 Greg Kroah-Hartman
2021-10-04 12:52 ` Greg Kroah-Hartman [this message]
2021-10-04 12:52 ` [PATCH 5.10 56/93] net: hns3: do not allow call hns3_nic_net_open repeatedly Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 57/93] net: hns3: keep MAC pause mode when multiple TCs are enabled Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 58/93] net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and HCLGE_FLAG_DCB_ENABLE Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 59/93] net: hns3: fix show wrong state when add existing uc mac address Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 60/93] net: hns3: fix prototype warning Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 61/93] net: hns3: reconstruct function hns3_self_test Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 62/93] net: hns3: fix always enable rx vlan filter problem after selftest Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 63/93] net: phy: bcm7xxx: Fixed indirect MMD operations Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 64/93] net: sched: flower: protect fl_walk() with rcu Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 65/93] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 66/93] perf/x86/intel: Update event constraints for ICX Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 67/93] hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1 mp2975 controller Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 68/93] nvme: add command id quirk for apple controllers Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 69/93] elf: dont use MAP_FIXED_NOREPLACE for elf interpreter mappings Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 70/93] debugfs: debugfs_create_file_size(): use IS_ERR to check for error Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 71/93] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 72/93] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 73/93] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 74/93] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 75/93] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 76/93] ext4: fix loff_t overflow in ext4_max_bitmap_size() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 77/93] ext4: limit the number of blocks in one ADD_RANGE TLV Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 78/93] ext4: fix reserved space counter leakage Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 79/93] ext4: add error checking to ext4_ext_replay_set_iblocks() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 80/93] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 81/93] HID: u2fzero: ignore incomplete packets without data Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 82/93] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 83/93] ASoC: dapm: use component prefix when checking widget names Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 84/93] usb: hso: remove the bailout parameter Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 85/93] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 86/93] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 87/93] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 88/93] mm: dont allow " Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 89/93] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 90/93] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 20:58 ` Florian Fainelli
2021-10-04 12:53 ` [PATCH 5.10 91/93] KVM: x86: Handle SRCU initialization failure during page track init Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 92/93] netfilter: conntrack: serialize hash resizes and cleanups Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 93/93] netfilter: nf_tables: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 16:31 ` [PATCH 5.10 00/93] 5.10.71-rc1 review Fox Chen
2021-10-04 18:08 ` Pavel Machek
2021-10-04 19:45 ` Shuah Khan
2021-10-04 20:48 ` Florian Fainelli
2021-10-05 2:40 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004125036.392235979@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sandeep.penigalapati@intel.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhoufeng.zf@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox