lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 22 Nov 2018 15:24:07 +0100
From:   Petr Oros <poros@...hat.com>
To:     netdev@...r.kernel.org
Cc:     ivecera@...hat.com, davem@...emloft.net
Subject: [PATCH net] be2net: Fix NULL pointer dereference in be_tx_timeout()

The driver enumerates Tx queues in ndo_tx_timeout() handler, here is
possible race with be_update_queues. For this case we set carrier_off.
It prevents netdev watchdog to be fired after be_clear_queues().
The watchdog timeout doesn't make any sense here as we re-creating queues.

Reproducer:
We can reproduce bug with ethtool when changing queue count
  ethtool -L $netif combined 1
  ethtool -L $netif combined 32
If oops is not triggered imediately, just run it again or in loop.

Oops:
[  865.768648] NETDEV WATCHDOG: enp4s0f0 (be2net): transmit queue 0 timed out
[  865.775539] WARNING: CPU: 3 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x20d/0x220
[  865.783796] Modules linked in: be2net intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul iTCO_wdt iTCO_vendor_support ghash_clmulni_intel mei_me intel_cstate intel_uncore ipmi_ssif mei ipmi_si pcspkr sg i2c_i801 joydev lpc_ich intel_rapl_perf ipmi_devintf ioatdma ipmi_msghandler xfs libcrc32c sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci libahci crc32c_intel drm serio_raw libata igb dca i2c_algo_bit wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: be2net]
[  865.834289] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.20.0-rc3+ #2
[  865.840640] Hardware name: Supermicro X9DBU/X9DBU, BIOS 3.2 01/15/2015
[  865.847168] RIP: 0010:dev_watchdog+0x20d/0x220
[  865.851612] Code: 00 49 63 4e e0 eb 92 4c 89 e7 c6 05 a5 de c9 00 01 e8 f7 b2 fc ff 89 d9 4c 89 e6 48 c7 c7 a0 d1 b2 99 48 89 c2 e8 7d b0 98 ff <0f> 0b eb c0 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 66 66
[  865.870358] RSP: 0018:ffff9bee73ac3e88 EFLAGS: 00010282
[  865.875583] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000083f
[  865.882707] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
[  865.889832] RBP: ffff9bee5fa0045c R08: 0000000000000824 R09: 0000000000000007
[  865.896956] R10: 0000000000000000 R11: ffffffff9a3f162d R12: ffff9bee5fa00000
[  865.904088] R13: 0000000000000003 R14: ffff9bee5fa00480 R15: 0000000000000020
[  865.911214] FS:  0000000000000000(0000) GS:ffff9bee73ac0000(0000) knlGS:0000000000000000
[  865.919298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  865.925037] CR2: 00005580497ce040 CR3: 00000002cf60a004 CR4: 00000000000606e0
[  865.932170] Call Trace:
[  865.934626]  <IRQ>
[  865.936645]  ? pfifo_fast_dequeue+0x160/0x160
[  865.941005]  call_timer_fn+0x2b/0x130
[  865.944670]  run_timer_softirq+0x3b9/0x3f0
[  865.948768]  ? tick_sched_timer+0x37/0x70
[  865.952779]  ? __hrtimer_run_queues+0x110/0x280
[  865.957314]  __do_softirq+0xdd/0x2fe
[  865.960896]  irq_exit+0xfa/0x100
[  865.964125]  smp_apic_timer_interrupt+0x74/0x140
[  865.968745]  apic_timer_interrupt+0xf/0x20
[  865.972844]  </IRQ>
[  865.974953] RIP: 0010:cpuidle_enter_state+0xb0/0x320
[  865.979915] Code: 89 c3 66 66 66 66 90 31 ff e8 0c 07 a6 ff 80 7c 24 0b 00 74 12 9c 58 f6 c4 02 0f 85 46 02 00 00 31 ff e8 33 e0 ab ff fb 85 ed <0f> 88 1a 02 00 00 48 b8 ff ff ff ff f3 01 00 00 48 2b 1c 24 48 39
[  865.998661] RSP: 0018:ffffbc9ac19e7ea0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
[  866.006225] RAX: ffff9bee73ae1dc0 RBX: 000000c9938e11ae RCX: 000000000000001f
[  866.013350] RDX: 000000c9938e11ae RSI: 00000000435e532a RDI: 0000000000000000
[  866.020474] RBP: 0000000000000005 R08: 0000000000000002 R09: 0000000000021640
[  866.027598] R10: 00009c434b946fde R11: ffff9bee73ae0e44 R12: ffffffff99d27538
[  866.034723] R13: ffff9bee73aec628 R14: 0000000000000005 R15: 0000000000000000
[  866.041860]  do_idle+0x1f1/0x230
[  866.045091]  cpu_startup_entry+0x19/0x20
[  866.049016]  start_secondary+0x195/0x1e0
[  866.052943]  secondary_startup_64+0xb6/0xc0
[  866.057129] ---[ end trace dead88c26bcd8261 ]---
[  866.061750] be2net 0000:04:00.0: TXQ Dump: 0 H: 0 T: 0 used: 0, qid: 0x2
[  866.068452] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[  866.076273] PGD 0 P4D 0
[  866.078810] Oops: 0000 [#1] SMP PTI
[  866.082305] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G        W         4.20.0-rc3+ #2
[  866.090041] Hardware name: Supermicro X9DBU/X9DBU, BIOS 3.2 01/15/2015
[  866.096566] RIP: 0010:be_tx_timeout+0x7c/0x300 [be2net]
[  866.101786] Code: 8b 45 1c 41 8b 4d 14 48 89 df 31 ed 45 8b 4d 18 48 c7 c6 80 51 2c c0 50 45 8b 45 10 8b 54 24 14 e8 09 a7 cb d8 4d 8b 7d 20 59 <41> 8b 0c af 45 8b 44 af 04 41 8b 74 af 0c 45 8b 4c af 08 89 ca 44
[  866.120532] RSP: 0018:ffff9bee73ac3e38 EFLAGS: 00010246
[  866.125758] RAX: 0000000000000000 RBX: ffff9bee72d6b0b0 RCX: 0000000000000002
[  866.132882] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
[  866.140014] RBP: 0000000000000000 R08: 000000000000084d R09: 0000000000000007
[  866.147138] R10: 0000000000000000 R11: ffffffff9a3f162d R12: ffffffffc02c60ab
[  866.154263] R13: ffff9bee5fa04b40 R14: ffffffffc02c613a R15: 0000000000000000
[  866.161388] FS:  0000000000000000(0000) GS:ffff9bee73ac0000(0000) knlGS:0000000000000000
[  866.169472] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  866.175210] CR2: 0000000000000000 CR3: 00000002cf60a004 CR4: 00000000000606e0
[  866.182334] Call Trace:
[  866.184781]  <IRQ>
[  866.186799]  dev_watchdog+0x1e4/0x220
[  866.190466]  ? pfifo_fast_dequeue+0x160/0x160
[  866.194825]  call_timer_fn+0x2b/0x130
[  866.198491]  run_timer_softirq+0x3b9/0x3f0
[  866.202590]  ? tick_sched_timer+0x37/0x70
[  866.206604]  ? __hrtimer_run_queues+0x110/0x280
[  866.211134]  __do_softirq+0xdd/0x2fe
[  866.214715]  irq_exit+0xfa/0x100
[  866.217948]  smp_apic_timer_interrupt+0x74/0x140
[  866.222566]  apic_timer_interrupt+0xf/0x20
[  866.226664]  </IRQ>
[  866.228762] RIP: 0010:cpuidle_enter_state+0xb0/0x320
[  866.233727] Code: 89 c3 66 66 66 66 90 31 ff e8 0c 07 a6 ff 80 7c 24 0b 00 74 12 9c 58 f6 c4 02 0f 85 46 02 00 00 31 ff e8 33 e0 ab ff fb 85 ed <0f> 88 1a 02 00 00 48 b8 ff ff ff ff f3 01 00 00 48 2b 1c 24 48 39
[  866.252465] RSP: 0018:ffffbc9ac19e7ea0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
[  866.260031] RAX: ffff9bee73ae1dc0 RBX: 000000c9938e11ae RCX: 000000000000001f
[  866.267164] RDX: 000000c9938e11ae RSI: 00000000435e532a RDI: 0000000000000000
[  866.274288] RBP: 0000000000000005 R08: 0000000000000002 R09: 0000000000021640
[  866.281421] R10: 00009c434b946fde R11: ffff9bee73ae0e44 R12: ffffffff99d27538
[  866.288545] R13: ffff9bee73aec628 R14: 0000000000000005 R15: 0000000000000000
[  866.295680]  do_idle+0x1f1/0x230
[  866.298913]  cpu_startup_entry+0x19/0x20
[  866.302839]  start_secondary+0x195/0x1e0
[  866.306764]  secondary_startup_64+0xb6/0xc0
[  866.310948] Modules linked in: be2net intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul iTCO_wdt iTCO_vendor_support ghash_clmulni_intel mei_me intel_cstate intel_uncore ipmi_ssif mei ipmi_si pcspkr sg i2c_i801 joydev lpc_ich intel_rapl_perf ipmi_devintf ioatdma ipmi_msghandler xfs libcrc32c sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci libahci crc32c_intel drm serio_raw libata igb dca i2c_algo_bit wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: be2net]
[  866.361432] CR2: 0000000000000000
[  866.364748] ---[ end trace dead88c26bcd8262 ]---
[  866.507013] RIP: 0010:be_tx_timeout+0x7c/0x300 [be2net]
[  866.512234] Code: 8b 45 1c 41 8b 4d 14 48 89 df 31 ed 45 8b 4d 18 48 c7 c6 80 51 2c c0 50 45 8b 45 10 8b 54 24 14 e8 09 a7 cb d8 4d 8b 7d 20 59 <41> 8b 0c af 45 8b 44 af 04 41 8b 74 af 0c 45 8b 4c af 08 89 ca 44
[  866.530980] RSP: 0018:ffff9bee73ac3e38 EFLAGS: 00010246
[  866.536206] RAX: 0000000000000000 RBX: ffff9bee72d6b0b0 RCX: 0000000000000002
[  866.543330] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
[  866.550454] RBP: 0000000000000000 R08: 000000000000084d R09: 0000000000000007
[  866.557578] R10: 0000000000000000 R11: ffffffff9a3f162d R12: ffffffffc02c60ab
[  866.564710] R13: ffff9bee5fa04b40 R14: ffffffffc02c613a R15: 0000000000000000
[  866.571835] FS:  0000000000000000(0000) GS:ffff9bee73ac0000(0000) knlGS:0000000000000000
[  866.579920] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  866.585658] CR2: 0000000000000000 CR3: 00000002cf60a004 CR4: 00000000000606e0
[  866.592784] Kernel panic - not syncing: Fatal exception in interrupt
[  866.599179] Kernel Offset: 0x17a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Fixes: c1b3bdb2ffa9 ("be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout")
Signed-off-by: Petr Oros <poros@...hat.com>
---
 drivers/net/ethernet/emulex/benet/be_main.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index c5ad7a4f4d83..02202c5e6794 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -4700,8 +4700,11 @@ int be_update_queues(struct be_adapter *adapter)
 	struct net_device *netdev = adapter->netdev;
 	int status;
 
-	if (netif_running(netdev))
+	if (netif_running(netdev)) {
+		/* prevent netdev watchdog during tx queue destroy */
+		netif_carrier_off(netdev);
 		be_close(netdev);
+	}
 
 	be_cancel_worker(adapter);
 
-- 
2.18.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ