Skip to content

Commit d03b6e6

Browse files
Jianbo LiuSaeed Mahameed
Jianbo Liu
authored and
Saeed Mahameed
committed
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as the flow is duplicated to the peer eswitch, the related neighbour information on the peer uplink representor is created as well. In the cited commit, eswitch devcom unpair is moved to uplink unload API, specifically the profile->cleanup_tx. If there is a encap rule offloaded in ECMP mode, when one eswitch does unpair (because of unloading the driver, for instance), and the peer rule from the peer eswitch is going to be deleted, the use-after-free error is triggered while accessing neigh info, as it is already cleaned up in uplink's profile->disable, which is before its profile->cleanup_tx. To fix this issue, move the neigh cleanup to profile's cleanup_tx callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh init is moved to init_tx for symmeter. [ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 [ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 [ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2453.384335] Call Trace: [ 2453.384625] <TASK> [ 2453.384891] dump_stack_lvl+0x33/0x50 [ 2453.385285] print_report+0xc2/0x610 [ 2453.385667] ? __virt_addr_valid+0xb1/0x130 [ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.386757] kasan_report+0xae/0xe0 [ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] [ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] [ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] [ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] [ 2453.391015] ? complete_all+0x43/0xd0 [ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] [ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] [ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] [ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] [ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] [ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] [ 2453.395268] ? down_write+0xaa/0x100 [ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] [ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] [ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] [ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] [ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] [ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] [ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] [ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] [ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] [ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] [ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] [ 2453.405170] ? up_write+0x39/0x60 [ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 [ 2453.405985] auxiliary_bus_remove+0x2e/0x40 [ 2453.406405] device_release_driver_internal+0x243/0x2d0 [ 2453.406900] ? kobject_put+0x42/0x2d0 [ 2453.407284] bus_remove_device+0x128/0x1d0 [ 2453.407687] device_del+0x240/0x550 [ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 [ 2453.408511] ? kobject_put+0xfa/0x2d0 [ 2453.408889] ? __kmem_cache_free+0x14d/0x280 [ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] [ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] [ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] [ 2453.411111] remove_one+0x89/0x130 [mlx5_core] [ 2453.411628] pci_device_remove+0x59/0xf0 [ 2453.412026] device_release_driver_internal+0x243/0x2d0 [ 2453.412511] ? parse_option_str+0x14/0x90 [ 2453.412915] driver_detach+0x7b/0xf0 [ 2453.413289] bus_remove_driver+0xb5/0x160 [ 2453.413685] pci_unregister_driver+0x3f/0xf0 [ 2453.414104] mlx5_cleanup+0xc/0x20 [mlx5_core] Fixes: 2be5bd4 ("net/mlx5: Handle pairing of E-switch via uplink un/load APIs") Signed-off-by: Jianbo Liu <[email protected]> Reviewed-by: Vlad Buslov <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]>
1 parent 3ec43c1 commit d03b6e6

File tree

1 file changed

+7
-10
lines changed
  • drivers/net/ethernet/mellanox/mlx5/core

1 file changed

+7
-10
lines changed

drivers/net/ethernet/mellanox/mlx5/core/en_rep.c

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1160,6 +1160,10 @@ static int mlx5e_init_rep_tx(struct mlx5e_priv *priv)
11601160
return err;
11611161
}
11621162

1163+
err = mlx5e_rep_neigh_init(rpriv);
1164+
if (err)
1165+
goto err_neigh_init;
1166+
11631167
if (rpriv->rep->vport == MLX5_VPORT_UPLINK) {
11641168
err = mlx5e_init_uplink_rep_tx(rpriv);
11651169
if (err)
@@ -1176,6 +1180,8 @@ static int mlx5e_init_rep_tx(struct mlx5e_priv *priv)
11761180
if (rpriv->rep->vport == MLX5_VPORT_UPLINK)
11771181
mlx5e_cleanup_uplink_rep_tx(rpriv);
11781182
err_init_tx:
1183+
mlx5e_rep_neigh_cleanup(rpriv);
1184+
err_neigh_init:
11791185
mlx5e_destroy_tises(priv);
11801186
return err;
11811187
}
@@ -1189,22 +1195,17 @@ static void mlx5e_cleanup_rep_tx(struct mlx5e_priv *priv)
11891195
if (rpriv->rep->vport == MLX5_VPORT_UPLINK)
11901196
mlx5e_cleanup_uplink_rep_tx(rpriv);
11911197

1198+
mlx5e_rep_neigh_cleanup(rpriv);
11921199
mlx5e_destroy_tises(priv);
11931200
}
11941201

11951202
static void mlx5e_rep_enable(struct mlx5e_priv *priv)
11961203
{
1197-
struct mlx5e_rep_priv *rpriv = priv->ppriv;
1198-
11991204
mlx5e_set_netdev_mtu_boundaries(priv);
1200-
mlx5e_rep_neigh_init(rpriv);
12011205
}
12021206

12031207
static void mlx5e_rep_disable(struct mlx5e_priv *priv)
12041208
{
1205-
struct mlx5e_rep_priv *rpriv = priv->ppriv;
1206-
1207-
mlx5e_rep_neigh_cleanup(rpriv);
12081209
}
12091210

12101211
static int mlx5e_update_rep_rx(struct mlx5e_priv *priv)
@@ -1254,7 +1255,6 @@ static int uplink_rep_async_event(struct notifier_block *nb, unsigned long event
12541255

12551256
static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv)
12561257
{
1257-
struct mlx5e_rep_priv *rpriv = priv->ppriv;
12581258
struct net_device *netdev = priv->netdev;
12591259
struct mlx5_core_dev *mdev = priv->mdev;
12601260
u16 max_mtu;
@@ -1276,7 +1276,6 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv)
12761276
mlx5_notifier_register(mdev, &priv->events_nb);
12771277
mlx5e_dcbnl_initialize(priv);
12781278
mlx5e_dcbnl_init_app(priv);
1279-
mlx5e_rep_neigh_init(rpriv);
12801279
mlx5e_rep_bridge_init(priv);
12811280

12821281
netdev->wanted_features |= NETIF_F_HW_TC;
@@ -1291,7 +1290,6 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv)
12911290

12921291
static void mlx5e_uplink_rep_disable(struct mlx5e_priv *priv)
12931292
{
1294-
struct mlx5e_rep_priv *rpriv = priv->ppriv;
12951293
struct mlx5_core_dev *mdev = priv->mdev;
12961294

12971295
rtnl_lock();
@@ -1301,7 +1299,6 @@ static void mlx5e_uplink_rep_disable(struct mlx5e_priv *priv)
13011299
rtnl_unlock();
13021300

13031301
mlx5e_rep_bridge_cleanup(priv);
1304-
mlx5e_rep_neigh_cleanup(rpriv);
13051302
mlx5e_dcbnl_delete_app(priv);
13061303
mlx5_notifier_unregister(mdev, &priv->events_nb);
13071304
mlx5e_rep_tc_disable(priv);

0 commit comments

Comments
 (0)