On 6/29/18 4:52 AM, Neil Horman wrote: > On repeated module load/unload cycles, its possible for the pvrmda > driver to encounter this crash: > > ... > 297.032448] RIP: 0010:[<ffffffff839e4620>] [<ffffffff839e4620>] netdev_walk_all_upper_dev_rcu+0x50/0xb0 > [ 297.034078] RSP: 0018:ffff95087780bd08 EFLAGS: 00010286 > [ 297.034986] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff95087a0c0000 > [ 297.036196] RDX: ffff95087a0c0000 RSI: ffffffff839e44e0 RDI: ffff950835d0c000 > [ 297.037421] RBP: ffff95087780bd40 R08: ffff95087a0e0ea0 R09: abddacd03f8e0ea0 > [ 297.038636] R10: abddacd03f8e0ea0 R11: ffffef5901e9dbc0 R12: ffff95087a0c0000 > [ 297.039854] R13: ffffffff839e44e0 R14: ffff95087a0c0000 R15: ffff950835d0c828 > [ 297.041071] FS: 0000000000000000(0000) GS:ffff95087fc00000(0000) knlGS:0000000000000000 > [ 297.042443] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 297.043429] CR2: ffffffffffffffe8 CR3: 000000007a652000 CR4: 00000000003607f0 > [ 297.044674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 297.045893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 297.047109] Call Trace: > [ 297.047545] [<ffffffff839e4698>] netdev_has_upper_dev_all_rcu+0x18/0x20 > [ 297.048691] [<ffffffffc05d31af>] is_eth_port_of_netdev+0x2f/0xa0 [ib_core] > [ 297.049886] [<ffffffffc05d3180>] ? is_eth_active_slave_of_bonding_rcu+0x70/0x70 [ib_core] > ... > > This occurs because vmw_pvrdma on probe stores a pointer to the netdev > that exists on function 0 of the same bus/device/slot (which represents > the vmxnet3 ethernet driver). However, it never removes this pointer if > the vmxnet3 module is removed, leading to crashes resulting from use > after free dereferencing incidents like the one above. > > The fix is pretty straightforward. vmw_pvrdma should listen for > NETDEV_REGISTER and NETDEV_UNREGISTER events in its event listener code > block, and update the stored netdev pointer accordingly. This solution > has been tested by myself and the reporter with successful results. > This fix also allows the pvrdma driver to find its underlying ethernet > device in the event that vmxnet3 is loaded after pvrdma, which it was > not able to do before. > > Signed-off-by: Neil Horman <nhorman@xxxxxxxxxxxxx> > Reported-by: ruquin@xxxxxxxxxx > CC: Adit Ranadive <aditr@xxxxxxxxxx> > CC: VMware PV-Drivers <pv-drivers@xxxxxxxxxx> > CC: Doug Ledford <dledford@xxxxxxxxxx> > CC: Jason Gunthorpe <jgg@xxxxxxxx> > CC: linux-kernel@xxxxxxxxxxxxxxx > > --- > Change notes > > v2) > * Move dev_hold in pvrda_pci_probe to below null check (aditr) > * Add dev_puts to probe error path and pvrda_pci_remove (jgg) > * Cleaned up some checkpatch warnings (nhorman) > --- > .../infiniband/hw/vmw_pvrdma/pvrdma_main.c | 39 ++++++++++++++++++- > 1 file changed, 37 insertions(+), 2 deletions(-) Thanks Neil! Tested-by: Adit Ranadive <aditr@xxxxxxxxxx> Acked-by: Adit Ranadive <aditr@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
