[SRU][J][PATCH 1/1] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
John Cabaj
john.cabaj at canonical.com
Fri Jan 31 22:30:30 UTC 2025
From: Souradeep Chakrabarti <schakrabarti at linux.microsoft.com>
Currently napi_disable() gets called during rxq and txq cleanup,
even before napi is enabled and hrtimer is initialized. It causes
kernel panic.
? page_fault_oops+0x136/0x2b0
? page_counter_cancel+0x2e/0x80
? do_user_addr_fault+0x2f2/0x640
? refill_obj_stock+0xc4/0x110
? exc_page_fault+0x71/0x160
? asm_exc_page_fault+0x27/0x30
? __mmdrop+0x10/0x180
? __mmdrop+0xec/0x180
? hrtimer_active+0xd/0x50
hrtimer_try_to_cancel+0x2c/0xf0
hrtimer_cancel+0x15/0x30
napi_disable+0x65/0x90
mana_destroy_rxq+0x4c/0x2f0
mana_create_rxq.isra.0+0x56c/0x6d0
? mana_uncfg_vport+0x50/0x50
mana_alloc_queues+0x21b/0x320
? skb_dequeue+0x5f/0x80
Cc: stable at vger.kernel.org
Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ")
Signed-off-by: Souradeep Chakrabarti <schakrabarti at linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz at microsoft.com>
Reviewed-by: Shradha Gupta <shradhagupta at linux.microsoft.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(backported from commit b6ecc662037694488bfff7c9fd21c405df8411f2)
[john-cabaj: context changes]
CVE-2024-46784
Signed-off-by: John Cabaj <john.cabaj at canonical.com>
---
drivers/net/ethernet/microsoft/mana/mana.h | 2 ++
drivers/net/ethernet/microsoft/mana/mana_en.c | 22 ++++++++++++-------
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana.h b/drivers/net/ethernet/microsoft/mana/mana.h
index 35e937a7079c..b10c9672d1ad 100644
--- a/drivers/net/ethernet/microsoft/mana/mana.h
+++ b/drivers/net/ethernet/microsoft/mana/mana.h
@@ -77,6 +77,8 @@ struct mana_txq {
atomic_t pending_sends;
struct mana_stats stats;
+
+ bool napi_initialized;
};
/* skb data and frags dma mappings */
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index f7b4efc3dadb..f19fe3fc2cf7 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1158,10 +1158,12 @@ static void mana_destroy_txq(struct mana_port_context *apc)
for (i = 0; i < apc->num_queues; i++) {
napi = &apc->tx_qp[i].tx_cq.napi;
- napi_synchronize(napi);
- napi_disable(napi);
- netif_napi_del(napi);
-
+ if (apc->tx_qp[i].txq.napi_initialized) {
+ napi_synchronize(napi);
+ napi_disable(napi);
+ netif_napi_del(napi);
+ apc->tx_qp[i].txq.napi_initialized = false;
+ }
mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);
mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq);
@@ -1217,6 +1219,7 @@ static int mana_create_txq(struct mana_port_context *apc,
txq->ndev = net;
txq->net_txq = netdev_get_tx_queue(net, i);
txq->vp_offset = apc->tx_vp_offset;
+ txq->napi_initialized = false;
skb_queue_head_init(&txq->pending_skbs);
memset(&spec, 0, sizeof(spec));
@@ -1281,6 +1284,7 @@ static int mana_create_txq(struct mana_port_context *apc,
netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT);
napi_enable(&cq->napi);
+ txq->napi_initialized = true;
mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);
}
@@ -1292,7 +1296,7 @@ static int mana_create_txq(struct mana_port_context *apc,
}
static void mana_destroy_rxq(struct mana_port_context *apc,
- struct mana_rxq *rxq, bool validate_state)
+ struct mana_rxq *rxq, bool napi_initialized)
{
struct gdma_context *gc = apc->ac->gdma_dev->gdma_context;
@@ -1306,11 +1310,13 @@ static void mana_destroy_rxq(struct mana_port_context *apc,
napi = &rxq->rx_cq.napi;
- if (validate_state)
+ if (napi_initialized) {
napi_synchronize(napi);
- napi_disable(napi);
- netif_napi_del(napi);
+ napi_disable(napi);
+
+ netif_napi_del(napi);
+ }
mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);
--
2.43.0
More information about the kernel-team
mailing list