From patchwork Sun Sep 12 16:34:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Chan X-Patchwork-Id: 509686 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MIME_HEADER_CTYPE_ONLY, SPF_HELO_NONE, SPF_PASS, T_TVD_MIME_NO_HEADERS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38D9CC433F5 for ; Sun, 12 Sep 2021 16:35:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F2BF60BD3 for ; Sun, 12 Sep 2021 16:35:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234940AbhILQgX (ORCPT ); Sun, 12 Sep 2021 12:36:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229560AbhILQgU (ORCPT ); Sun, 12 Sep 2021 12:36:20 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33DF4C061574 for ; Sun, 12 Sep 2021 09:35:06 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id k24so7077531pgh.8 for ; Sun, 12 Sep 2021 09:35:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YzrjhKXCaBWyEpJ6sywR8jtuAA7scEM4o6bsAn/2oKM=; b=FHatnFni0R4lmx1SCd4roSJw5uqWGoMEtMkjtpms9Z1bqnZ6V46M5O0EZwTLuhQrd6 rwYtDrzQ/pJTYk5QJfsarjtLnZ6YOf/m8U9E1urx6ST1ycLWTfwv6ec2RU0iW7EUfn8u npjqo7Vy/L3FKHk/EBdDCFi6PD0fOoBHb1jeQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YzrjhKXCaBWyEpJ6sywR8jtuAA7scEM4o6bsAn/2oKM=; b=YtMeE4AdH6MnbEftFJNhb7poYgh3n3eOFYRPDtz2IQVJwHviuh7CGDNj+ee3PM7T65 cuows9hIRJ78Q01a9TuQ3VUTWLKdjKryMfBe7Oy/Kei1DxT40qTfryNCdNQwRDUv5C2u TqOP47g5IKBoFOZgQxTmG4753a3/LrwSpo74tfxwT15i/psRjqBdcqbMdrB6ptud1VxR QVhDMDHGLhpT5gQXxfuRwe+LRTpO/LhBsUI6xYJKohXgo9AaHzu059ksBsNslorAX99j W8bYLTFS7vEFbLp3kNUaoc4mSD0zRd9j2xx8gEl8HXuG24GsfCK9Pdzu5al19ED5mdKw jKCQ== X-Gm-Message-State: AOAM532CHPYmMVrTvCHYxqe0OvDQD/u20lOwMEUWqQoACjwDEVXHbrAe 7wHkosMl8t29glt5IE9h6A+hrw== X-Google-Smtp-Source: ABdhPJwR5flhl1OO6rSfGBQvr5Xn3PdSsNiPXNT//Sc62mNalDRE8YZxkloum+ONaxOW8kh5rbUqtQ== X-Received: by 2002:a63:e613:: with SMTP id g19mr7340376pgh.12.1631464505393; Sun, 12 Sep 2021 09:35:05 -0700 (PDT) Received: from localhost.swdvt.lab.broadcom.net ([192.19.223.252]) by smtp.gmail.com with ESMTPSA id l22sm5444224pgo.45.2021.09.12.09.35.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Sep 2021 09:35:04 -0700 (PDT) From: Michael Chan To: davem@davemloft.net Cc: netdev@vger.kernel.org, kuba@kernel.org, edwin.peer@broadcom.com, gospo@broadcom.com Subject: [PATCH net 2/3] bnxt_en: make bnxt_free_skbs() safe to call after bnxt_free_mem() Date: Sun, 12 Sep 2021 12:34:48 -0400 Message-Id: <1631464489-8046-3-git-send-email-michael.chan@broadcom.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1631464489-8046-1-git-send-email-michael.chan@broadcom.com> References: <1631464489-8046-1-git-send-email-michael.chan@broadcom.com> Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Edwin Peer The call to bnxt_free_mem(..., false) in the bnxt_half_open_nic() error path will deallocate ring descriptor memory via bnxt_free_?x_rings(), but because irq_re_init is false, the ring info itself is not freed. To simplify error paths, deallocation functions have generally been written to be safe when called on unallocated memory. It should always be safe to call dev_close(), which calls bnxt_free_skbs() a second time, even in this semi- allocated ring state. Calling bnxt_free_skbs() a second time with the rings already freed will cause NULL pointer dereference. Fix it by checking the rings are valid before proceeding in bnxt_free_tx_skbs() and bnxt_free_one_rx_ring_skbs(). Fixes: 975bc99a4a39 ("bnxt_en: Refactor bnxt_free_rx_skbs().") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 8b0a2ae1367c..9f9806f1c0fc 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -2729,6 +2729,9 @@ static void bnxt_free_tx_skbs(struct bnxt *bp) struct bnxt_tx_ring_info *txr = &bp->tx_ring[i]; int j; + if (!txr->tx_buf_ring) + continue; + for (j = 0; j < max_idx;) { struct bnxt_sw_tx_bd *tx_buf = &txr->tx_buf_ring[j]; struct sk_buff *skb; @@ -2813,6 +2816,9 @@ static void bnxt_free_one_rx_ring_skbs(struct bnxt *bp, int ring_nr) } skip_rx_tpa_free: + if (!rxr->rx_buf_ring) + goto skip_rx_buf_free; + for (i = 0; i < max_idx; i++) { struct bnxt_sw_rx_bd *rx_buf = &rxr->rx_buf_ring[i]; dma_addr_t mapping = rx_buf->mapping; @@ -2835,6 +2841,11 @@ static void bnxt_free_one_rx_ring_skbs(struct bnxt *bp, int ring_nr) kfree(data); } } + +skip_rx_buf_free: + if (!rxr->rx_agg_ring) + goto skip_rx_agg_free; + for (i = 0; i < max_agg_idx; i++) { struct bnxt_sw_rx_agg_bd *rx_agg_buf = &rxr->rx_agg_ring[i]; struct page *page = rx_agg_buf->page; @@ -2851,6 +2862,8 @@ static void bnxt_free_one_rx_ring_skbs(struct bnxt *bp, int ring_nr) __free_page(page); } + +skip_rx_agg_free: if (rxr->rx_page) { __free_page(rxr->rx_page); rxr->rx_page = NULL;