AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-28 11:18:45 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
971de2e572
linux_dsm_epyc7002/drivers/net/ethernet/mellanox/mlxsw
History
Ido Schimmel 971de2e572 mlxsw: spectrum_acl: Fix use-after-free during reload 
During reload (or module unload), the router block is de-initialized.
Among other things, this results in the removal of a default multicast
route from each active virtual router (VRF). These default routes are
configured during initialization to trap packets to the CPU. In
Spectrum-2, unlike Spectrum-1, multicast routes are implemented using
ACL rules.

Since the router block is de-initialized before the ACL block, it is
possible that the ACL rules corresponding to the default routes are
deleted while being accessed by the ACL delayed work that queries rules'
activity from the device. This can result in a rare use-after-free [1].

Fix this by protecting the rules list accessed by the delayed work with
a lock. We cannot use a spinlock as the activity read operation is
blocking.

[1]
[  123.331662] ==================================================================
[  123.339920] BUG: KASAN: use-after-free in mlxsw_sp_acl_rule_activity_update_work+0x330/0x3b0
[  123.349381] Read of size 8 at addr ffff8881f3bb4520 by task kworker/0:2/78
[  123.357080]
[  123.358773] CPU: 0 PID: 78 Comm: kworker/0:2 Not tainted 5.5.0-rc5-custom-33108-gf5df95d3ef41 #2209
[  123.368898] Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018
[  123.378456] Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work
[  123.385970] Call Trace:
[  123.388734]  dump_stack+0xc6/0x11e
[  123.392568]  print_address_description.constprop.4+0x21/0x340
[  123.403236]  __kasan_report.cold.8+0x76/0xb1
[  123.414884]  kasan_report+0xe/0x20
[  123.418716]  mlxsw_sp_acl_rule_activity_update_work+0x330/0x3b0
[  123.444034]  process_one_work+0xb06/0x19a0
[  123.453731]  worker_thread+0x91/0xe90
[  123.467348]  kthread+0x348/0x410
[  123.476847]  ret_from_fork+0x24/0x30
[  123.480863]
[  123.482545] Allocated by task 73:
[  123.486273]  save_stack+0x19/0x80
[  123.490000]  __kasan_kmalloc.constprop.6+0xc1/0xd0
[  123.495379]  mlxsw_sp_acl_rule_create+0xa7/0x230
[  123.500566]  mlxsw_sp2_mr_tcam_route_create+0xf6/0x3e0
[  123.506334]  mlxsw_sp_mr_tcam_route_create+0x5b4/0x820
[  123.512102]  mlxsw_sp_mr_table_create+0x3b5/0x690
[  123.517389]  mlxsw_sp_vr_get+0x289/0x4d0
[  123.521797]  mlxsw_sp_fib_node_get+0xa2/0x990
[  123.526692]  mlxsw_sp_router_fib4_event_work+0x54c/0x2d60
[  123.532752]  process_one_work+0xb06/0x19a0
[  123.537352]  worker_thread+0x91/0xe90
[  123.541471]  kthread+0x348/0x410
[  123.545103]  ret_from_fork+0x24/0x30
[  123.549113]
[  123.550795] Freed by task 518:
[  123.554231]  save_stack+0x19/0x80
[  123.557958]  __kasan_slab_free+0x125/0x170
[  123.562556]  kfree+0xd7/0x3a0
[  123.565895]  mlxsw_sp_acl_rule_destroy+0x63/0xd0
[  123.571081]  mlxsw_sp2_mr_tcam_route_destroy+0xd5/0x130
[  123.576946]  mlxsw_sp_mr_tcam_route_destroy+0xba/0x260
[  123.582714]  mlxsw_sp_mr_table_destroy+0x1ab/0x290
[  123.588091]  mlxsw_sp_vr_put+0x1db/0x350
[  123.592496]  mlxsw_sp_fib_node_put+0x298/0x4c0
[  123.597486]  mlxsw_sp_vr_fib_flush+0x15b/0x360
[  123.602476]  mlxsw_sp_router_fib_flush+0xba/0x470
[  123.607756]  mlxsw_sp_vrs_fini+0xaa/0x120
[  123.612260]  mlxsw_sp_router_fini+0x137/0x384
[  123.617152]  mlxsw_sp_fini+0x30a/0x4a0
[  123.621374]  mlxsw_core_bus_device_unregister+0x159/0x600
[  123.627435]  mlxsw_devlink_core_bus_device_reload_down+0x7e/0xb0
[  123.634176]  devlink_reload+0xb4/0x380
[  123.638391]  devlink_nl_cmd_reload+0x610/0x700
[  123.643382]  genl_rcv_msg+0x6a8/0xdc0
[  123.647497]  netlink_rcv_skb+0x134/0x3a0
[  123.651904]  genl_rcv+0x29/0x40
[  123.655436]  netlink_unicast+0x4d4/0x700
[  123.659843]  netlink_sendmsg+0x7c0/0xc70
[  123.664251]  __sys_sendto+0x265/0x3c0
[  123.668367]  __x64_sys_sendto+0xe2/0x1b0
[  123.672773]  do_syscall_64+0xa0/0x530
[  123.676892]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  123.682552]
[  123.684238] The buggy address belongs to the object at ffff8881f3bb4500
[  123.684238]  which belongs to the cache kmalloc-128 of size 128
[  123.698261] The buggy address is located 32 bytes inside of
[  123.698261]  128-byte region [ffff8881f3bb4500, ffff8881f3bb4580)
[  123.711303] The buggy address belongs to the page:
[  123.716682] page:ffffea0007ceed00 refcount:1 mapcount:0 mapping:ffff888236403500 index:0x0
[  123.725958] raw: 0200000000000200 dead000000000100 dead000000000122 ffff888236403500
[  123.734646] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  123.743315] page dumped because: kasan: bad access detected
[  123.749562]
[  123.751241] Memory state around the buggy address:
[  123.756620]  ffff8881f3bb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  123.764716]  ffff8881f3bb4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  123.772812] >ffff8881f3bb4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  123.780904]                                ^
[  123.785697]  ffff8881f3bb4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  123.793793]  ffff8881f3bb4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  123.801883] ==================================================================

Fixes: cf7221a4f5 ("mlxsw: spectrum_router: Add Multicast routing support for Spectrum-2")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-23 11:32:57 +01:00
..
cmd.h
core_acl_flex_actions.c
core_acl_flex_actions.h
core_acl_flex_keys.c
core_acl_flex_keys.h
core_env.c mlxsw: core: Extend QSFP EEPROM size for ethtool 2019-10-22 10:30:41 -07:00
core_env.h
core_hwmon.c mlxsw: hwmon: Provide optimization for QSFP modules number detection 2019-10-06 18:31:39 +02:00
core_thermal.c mlxsw: thermal: Provide optimization for QSFP modules number detection 2019-10-06 18:31:39 +02:00
core.c mlxsw: core: Add support for using EMAD string TLV 2019-11-12 10:54:02 -08:00
core.h mlxsw: core: Add support for using EMAD string TLV 2019-11-12 10:54:02 -08:00
emad.h mlxsw: core: Add EMAD string TLV 2019-11-12 10:54:02 -08:00
i2c.c mlxsw: Propagate extack down to register_fib_notifier() 2019-10-04 11:10:56 -07:00
i2c.h
ib.h
item.h
Kconfig
Makefile
minimal.c mlxsw: minimal: Add validation for FW version 2019-10-06 18:31:39 +02:00
pci_hw.h mlxsw: pci: Increase PCI reset timeout for SN3800 systems 2019-10-30 12:07:05 -07:00
pci.c mlxsw: Propagate extack down to register_fib_notifier() 2019-10-04 11:10:56 -07:00
pci.h
port.h mlxsw: spectrum: Use PMTM register to get max module width 2019-10-31 10:54:46 -07:00
reg.h mlxsw: spectrum: Use dedicated policer for VRRP packets 2019-12-29 12:29:13 -08:00
resources.h mlxsw: spectrum: Introduce resource for getting offset of 4 lanes split port 2019-10-31 10:54:47 -07:00
spectrum1_acl_tcam.c
spectrum1_kvdl.c
spectrum1_mr_tcam.c
spectrum2_acl_tcam.c
spectrum2_kvdl.c
spectrum2_mr_tcam.c
spectrum_acl_atcam.c
spectrum_acl_bloom_filter.c
spectrum_acl_ctcam.c
spectrum_acl_erp.c
spectrum_acl_flex_actions.c
spectrum_acl_flex_actions.h
spectrum_acl_flex_keys.c
spectrum_acl_tcam.c
spectrum_acl_tcam.h
spectrum_acl.c mlxsw: spectrum_acl: Fix use-after-free during reload 2020-01-23 11:32:57 +01:00
spectrum_buffers.c mlxsw: Fix 64-bit division in mlxsw_sp_sb_prs_init 2019-10-31 13:55:34 -07:00
spectrum_cnt.c
spectrum_cnt.h
spectrum_dcb.c
spectrum_dpipe.c
spectrum_dpipe.h
spectrum_fid.c
spectrum_flower.c mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions 2019-09-27 20:33:19 +02:00
spectrum_ipip.c
spectrum_ipip.h
spectrum_kvdl.c
spectrum_mr_tcam.c
spectrum_mr_tcam.h
spectrum_mr.c
spectrum_mr.h
spectrum_nve_vxlan.c
spectrum_nve.c mlxsw: spectrum: Take devlink net instead of init_net 2019-10-04 11:10:56 -07:00
spectrum_nve.h
spectrum_ptp.c
spectrum_ptp.h
spectrum_qdisc.c mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters 2020-01-15 04:16:30 -08:00
spectrum_router.c mlxsw: spectrum_router: Skip loopback RIFs during MAC validation 2019-12-29 12:29:13 -08:00
spectrum_router.h
spectrum_span.c mlxsw: spectrum: Register switched port analyzers (SPAN) as resource 2019-10-18 10:05:37 -07:00
spectrum_span.h
spectrum_switchdev.c mlxsw: spectrum: Take devlink net instead of init_net 2019-10-04 11:10:56 -07:00
spectrum_switchdev.h
spectrum_trap.c mlxsw: Add layer 3 devlink-trap exceptions support 2019-11-07 19:51:40 -08:00
spectrum.c mlxsw: spectrum: Wipe xstats.backlog of down ports 2020-01-15 04:16:30 -08:00
spectrum.h mlxsw: spectrum: Use port_module_max_width to compute base port index 2019-10-31 10:54:47 -07:00
switchib.c mlxsw: Propagate extack down to register_fib_notifier() 2019-10-04 11:10:56 -07:00
switchx2.c mlxsw: switchx2: Do not modify cloned SKBs during xmit 2020-01-15 04:16:30 -08:00
trap.h mlxsw: Add layer 3 devlink-trap exceptions support 2019-11-07 19:51:40 -08:00
txheader.h