net/mlx5e: Fix netif state handling

PlaidCat · PlaidCat · commit 7bc4f3ee7128 · 2024-09-12T13:28:11.000-04:00
jira LE-1907 cve CVE-2024-38608 Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4 commit-author Shay Drory <shayd@nvidia.com> commit 3d59184 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/3d591847.failed mlx5e_suspend cleans resources only if netif_device_present() returns true. However, mlx5e_resume changes the state of netif, via mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. In the below case, the above leads to NULL-ptr Oops[1] and memory leaks: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( Hence, clean resources in this case as well. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at0xffffffffffffffd6. RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- Fixes: 2c3b5be ("net/mlx5e: More generic netdev management API") Signed-off-by: Shay Drory <shayd@nvidia.com> Signed-off-by: Tariq Toukan <tariqt@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240509112951.590184-2-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3d59184) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/net/ethernet/mellanox/mlx5/core/en_main.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/3d591847.failed b/ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/3d591847.failed
@@ -0,0 +1,184 @@
+net/mlx5e: Fix netif state handling
+
+jira LE-1907
+cve CVE-2024-38608
+Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4
+commit-author Shay Drory <shayd@nvidia.com>
+commit 3d5918477f94e4c2f064567875c475468e264644
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/3d591847.failed
+
+mlx5e_suspend cleans resources only if netif_device_present() returns
+true. However, mlx5e_resume changes the state of netif, via
+mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.
+In the below case, the above leads to NULL-ptr Oops[1] and memory
+leaks:
+
+mlx5e_probe
+ _mlx5e_resume
+  mlx5e_attach_netdev
+   mlx5e_nic_enable  <-- netdev not reg, not calling netif_device_attach()
+  register_netdev <-- failed for some reason.
+ERROR_FLOW:
+ _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(
+
+Hence, clean resources in this case as well.
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: 0010 [#1] SMP
+CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at0xffffffffffffffd6.
+RSP: 0018:ffff888178aaf758 EFLAGS: 00010246
+Call Trace:
+ <TASK>
+ ? __die+0x20/0x60
+ ? page_fault_oops+0x14c/0x3c0
+ ? exc_page_fault+0x75/0x140
+ ? asm_exc_page_fault+0x22/0x30
+ notifier_call_chain+0x35/0xb0
+ blocking_notifier_call_chain+0x3d/0x60
+ mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]
+ mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]
+ mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]
+ mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]
+ __mlx5_ib_add+0x34/0xd0 [mlx5_ib]
+ mlx5r_probe+0xe1/0x210 [mlx5_ib]
+ ? auxiliary_match_id+0x6a/0x90
+ auxiliary_bus_probe+0x38/0x80
+ ? driver_sysfs_add+0x51/0x80
+ really_probe+0xc9/0x3e0
+ ? driver_probe_device+0x90/0x90
+ __driver_probe_device+0x80/0x160
+ driver_probe_device+0x1e/0x90
+ __device_attach_driver+0x7d/0x100
+ bus_for_each_drv+0x80/0xd0
+ __device_attach+0xbc/0x1f0
+ bus_probe_device+0x86/0xa0
+ device_add+0x637/0x840
+ __auxiliary_device_add+0x3b/0xa0
+ add_adev+0xc9/0x140 [mlx5_core]
+ mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]
+ mlx5_register_device+0x53/0xa0 [mlx5_core]
+ mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]
+ mlx5_init_one+0x3b/0x60 [mlx5_core]
+ probe_one+0x44c/0x730 [mlx5_core]
+ local_pci_probe+0x3e/0x90
+ pci_device_probe+0xbf/0x210
+ ? kernfs_create_link+0x5d/0xa0
+ ? sysfs_do_create_link_sd+0x60/0xc0
+ really_probe+0xc9/0x3e0
+ ? driver_probe_device+0x90/0x90
+ __driver_probe_device+0x80/0x160
+ driver_probe_device+0x1e/0x90
+ __device_attach_driver+0x7d/0x100
+ bus_for_each_drv+0x80/0xd0
+ __device_attach+0xbc/0x1f0
+ pci_bus_add_device+0x54/0x80
+ pci_iov_add_virtfn+0x2e6/0x320
+ sriov_enable+0x208/0x420
+ mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]
+ sriov_numvfs_store+0xae/0x1a0
+ kernfs_fop_write_iter+0x10c/0x1a0
+ vfs_write+0x291/0x3c0
+ ksys_write+0x5f/0xe0
+ do_syscall_64+0x3d/0x90
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+ CR2: 0000000000000000
+ ---[ end trace 0000000000000000  ]---
+
+Fixes: 2c3b5beec46a ("net/mlx5e: More generic netdev management API")
+	Signed-off-by: Shay Drory <shayd@nvidia.com>
+	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+	Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240509112951.590184-2-tariqt@nvidia.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 3d5918477f94e4c2f064567875c475468e264644)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+diff --cc drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 53343da28517,64497b6eebd3..000000000000
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@@ -6011,10 -6064,13 +6011,10 @@@ static int _mlx5e_suspend(struct auxili
+  	struct mlx5e_priv *priv = mlx5e_dev->priv;
+  	struct net_device *netdev = priv->netdev;
+  	struct mlx5_core_dev *mdev = priv->mdev;
+ -	struct mlx5_core_dev *pos;
+ -	int i;
+  
+- 	if (!netif_device_present(netdev)) {
++ 	if (!pre_netdev_reg && !netif_device_present(netdev)) {
+  		if (test_bit(MLX5E_STATE_DESTROYING, &priv->state))
+ -			mlx5_sd_for_each_dev(i, mdev, pos)
+ -				mlx5e_destroy_mdev_resources(pos);
+ +			mlx5e_destroy_mdev_resources(mdev);
+  		return -ENODEV;
+  	}
+  
+@@@ -6025,7 -6083,17 +6025,21 @@@
+  
+  static int mlx5e_suspend(struct auxiliary_device *adev, pm_message_t state)
+  {
+++<<<<<<< HEAD
+ +	return _mlx5e_suspend(adev);
+++=======
++ 	struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
++ 	struct mlx5_core_dev *mdev = edev->mdev;
++ 	struct auxiliary_device *actual_adev;
++ 	int err = 0;
++ 
++ 	actual_adev = mlx5_sd_get_adev(mdev, adev, edev->idx);
++ 	if (actual_adev)
++ 		err = _mlx5e_suspend(actual_adev, false);
++ 
++ 	mlx5_sd_cleanup(mdev);
++ 	return err;
+++>>>>>>> 3d5918477f94 (net/mlx5e: Fix netif state handling)
+  }
+  
+  static int _mlx5e_probe(struct auxiliary_device *adev)
+@@@ -6104,18 -6172,32 +6118,18 @@@ err_devlink_unregister
+  static int mlx5e_probe(struct auxiliary_device *adev,
+  		       const struct auxiliary_device_id *id)
+  {
+ -	struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+ -	struct mlx5_core_dev *mdev = edev->mdev;
+ -	struct auxiliary_device *actual_adev;
+ -	int err;
+ -
+ -	err = mlx5_sd_init(mdev);
+ -	if (err)
+ -		return err;
+ -
+ -	actual_adev = mlx5_sd_get_adev(mdev, adev, edev->idx);
+ -	if (actual_adev)
+ -		return _mlx5e_probe(actual_adev);
+ -	return 0;
+ +	return _mlx5e_probe(adev);
+  }
+  
+ -static void _mlx5e_remove(struct auxiliary_device *adev)
+ +static void mlx5e_remove(struct auxiliary_device *adev)
+  {
+ -	struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
+  	struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
+  	struct mlx5e_priv *priv = mlx5e_dev->priv;
+ -	struct mlx5_core_dev *mdev = edev->mdev;
+  
+ -	mlx5_core_uplink_netdev_set(mdev, NULL);
+ +	mlx5_core_uplink_netdev_set(priv->mdev, NULL);
+  	mlx5e_dcbnl_delete_app(priv);
+  	unregister_netdev(priv->netdev);
+- 	_mlx5e_suspend(adev);
++ 	_mlx5e_suspend(adev, false);
+  	priv->profile->cleanup(priv);
+  	mlx5e_destroy_netdev(priv);
+  	mlx5e_devlink_port_unregister(mlx5e_dev);
+* Unmerged path drivers/net/ethernet/mellanox/mlx5/core/en_main.c
