lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <864j7p25f6.wl-maz@kernel.org>
Date: Mon, 12 Aug 2024 15:15:41 +0100
From: Marc Zyngier <maz@...nel.org>
To: Breno Leitao <leitao@...ian.org>
Cc: kuba@...nel.org,
	Sunil Goutham <sgoutham@...vell.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Paolo Abeni <pabeni@...hat.com>,
	horms@...nel.org,
	linux-arm-kernel@...ts.infradead.org (moderated list:ARM/CAVIUM THUNDER NETWORK DRIVER),
	netdev@...r.kernel.org (open list:NETWORKING DRIVERS),
	linux-kernel@...r.kernel.org (open list)
Subject: Re: [PATCH net-next v2] net: thunderx: Unembed netdev structure

On Wed, 26 Jun 2024 18:35:02 +0100,
Breno Leitao <leitao@...ian.org> wrote:
> 
> Embedding net_device into structures prohibits the usage of flexible
> arrays in the net_device structure. For more details, see the discussion
> at [1].
> 
> Un-embed the net_devices from struct lmac by converting them
> into pointers, and allocating them dynamically. Use the leverage
> alloc_netdev() to allocate the net_device object at
> bgx_lmac_enable().
> 
> The free of the device occurs at bgx_lmac_disable().
> 
>  Do not free_netdevice() if bgx_lmac_enable() fails after lmac->netdev
> is allocated, since bgx_lmac_disable() is called if bgx_lmac_enable()
> fails, and lmac->netdev will be freed there (similarly to lmac->dmacs).
> 
> Link: https://lore.kernel.org/all/20240229225910.79e224cf@kernel.org/ [1]
> Signed-off-by: Breno Leitao <leitao@...ian.org>
> ---
> Changelog:
> 
> v2:
> 	* Fixed a wrong dereference in netdev_priv (Jakub)
> 
>  .../net/ethernet/cavium/thunder/thunder_bgx.c | 21 +++++++++++++------
>  1 file changed, 15 insertions(+), 6 deletions(-)

This patch causes my ThunderX box to explode badly:

[   10.022118] thunder_bgx, ver 1.0
[   10.022594] libata version 3.00 loaded.
[   10.023226] mdio_thunder 0000:01:01.3: Added bus at 87e005003800
[   10.023757] mdio_thunder 0000:01:01.3: Added bus at 87e005003880
[   10.035431] thunder_bgx 0000:01:10.0: BGX0 QLM mode: XFI
[   10.045225] Unable to handle kernel NULL pointer dereference at virtual address 00000000000005e8
[   10.069901] Mem abort info:
[   10.085236]   ESR = 0x0000000096000044
[   10.109767]   EC = 0x25: DABT (current EL), IL = 32 bits
[   10.145191]   SET = 0, FnV = 0
[   10.148272]   EA = 0, S1PTW = 0
[   10.151422]   FSC = 0x04: level 0 translation fault
[   10.156309] Data abort info:
[   10.159196]   ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000
[   10.164689]   CM = 0, WnR = 1, TnD = 0, TagAccess = 0
[   10.169752]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   10.175076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111b43000
[   10.181533] [00000000000005e8] pgd=0000000000000000, p4d=0000000000000000
[   10.188328] Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP
[   10.194585] Modules linked in: libahci(E) nvme(E) nvme_core(E) t10_pi(E) mdio_thunder(E) thunder_bgx(E+) libata(E) mdio_devres(E) crc64_rocksoft(E) scsi_mod(E) igb(E+) thunder_xcv(E) mdio_cavium(E) crc64(E) i2c_algo_bit(E) gpio_keys(E) usbhid(E) scsi_common(E) of_mdio(E) fixed_phy(E) fwnode_mdio(E) i2c_thunderx(E) libphy(E)
[   10.223291] CPU: 0 PID: 341 Comm: kworker/0:4 Tainted: G            E      6.10.0-rc5-01073-g94833addfaba #3309
[   10.233368] Hardware name: GIGABYTE MT30-GS0/MT30-GS0, BIOS F02 08/06/2019
[   10.240231] Workqueue: events work_for_cpu_fn
[   10.244588] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   10.251540] pc : bgx_probe+0x44c/0x640 [thunder_bgx]
[   10.256502] lr : bgx_probe+0x410/0x640 [thunder_bgx]
[   10.261460] sp : ffff800084dd3c80
[   10.264876] x29: ffff800084dd3c80 x28: 0000000000000000 x27: ffff000ff6772a70
[   10.272006] x26: ffff00010cb02480 x25: 0000000000000000 x24: ffff80007a325700
[   10.279136] x23: ffff00010c0e60c8 x22: ffff80008100a3d8 x21: ffff000ff6772a88
[   10.286266] x20: ffff00010c0e6000 x19: ffff00010cb02480 x18: ffffffffffffffff
[   10.293396] x17: 000000004b2d2331 x16: 00000000b606f3da x15: 0000000000000006
[   10.300526] x14: 0000000000000000 x13: 3030383330303530 x12: 3065373820746120
[   10.307656] x11: 7375622064656464 x10: ffff800081e158e8 x9 : ffff800080aa9a30
[   10.314786] x8 : 0101010101010101 x7 : 0000000000000000 x6 : ffff00010c0e60c8
[   10.321916] x5 : ffff800084dd3cf8 x4 : 0000000000000000 x3 : 0000000000000000
[   10.329046] x2 : 0000000000000000 x1 : ffff80007a3296d0 x0 : ffff000ff6772a70
[   10.336176] Call trace:
[   10.338613]  bgx_probe+0x44c/0x640 [thunder_bgx]
[   10.343225]  local_pci_probe+0x48/0xb8
[   10.346966]  work_for_cpu_fn+0x24/0x40
[   10.350706]  process_one_work+0x170/0x400
[   10.354707]  worker_thread+0x26c/0x388
[   10.358446]  kthread+0xfc/0x110
[   10.361580]  ret_from_fork+0x10/0x20
[   10.365150] Code: 52800004 52800003 d2800002 f9401f47 (f902f4e6) 
[   10.371232] ---[ end trace 0000000000000000 ]---

and I've confirmed that reverting this patch on top of -rc3 restores
normal behaviour.

There are two issues with this change:

- bgx_lmac_enable() is called *after* bgx_acpi_register_phy() and
  bgx_init_of_phy(), both expecting netdev to be a valid pointer.

- bgx_init_of_phy() populates the MAC addresses for *all* LMACs
  attached to a given BGX instance, and thus needs netdev for each of
  them to have been allocated.

I have posted a potential fix at [1].

Thanks,

	M.

[1] https://lore.kernel.org/r/20240812141322.1742918-1-maz@kernel.org

-- 
Without deviation from the norm, progress is not possible.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ