linux/drivers/infiniband/hw/vmw_pvrdma
Neil Horman 11e40f5c57 vmw_pvrdma: Release netdev when vmxnet3 module is removed
On repeated module load/unload cycles, its possible for the pvrmda driver
to encounter this crash:

...
[  297.032448] RIP: 0010:[<ffffffff839e4620>]  [<ffffffff839e4620>] netdev_walk_all_upper_dev_rcu+0x50/0xb0
[  297.034078] RSP: 0018:ffff95087780bd08  EFLAGS: 00010286
[  297.034986] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff95087a0c0000
[  297.036196] RDX: ffff95087a0c0000 RSI: ffffffff839e44e0 RDI: ffff950835d0c000
[  297.037421] RBP: ffff95087780bd40 R08: ffff95087a0e0ea0 R09: abddacd03f8e0ea0
[  297.038636] R10: abddacd03f8e0ea0 R11: ffffef5901e9dbc0 R12: ffff95087a0c0000
[  297.039854] R13: ffffffff839e44e0 R14: ffff95087a0c0000 R15: ffff950835d0c828
[  297.041071] FS:  0000000000000000(0000) GS:ffff95087fc00000(0000) knlGS:0000000000000000
[  297.042443] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  297.043429] CR2: ffffffffffffffe8 CR3: 000000007a652000 CR4: 00000000003607f0
[  297.044674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  297.045893] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  297.047109] Call Trace:
[  297.047545]  [<ffffffff839e4698>] netdev_has_upper_dev_all_rcu+0x18/0x20
[  297.048691]  [<ffffffffc05d31af>] is_eth_port_of_netdev+0x2f/0xa0 [ib_core]
[  297.049886]  [<ffffffffc05d3180>] ? is_eth_active_slave_of_bonding_rcu+0x70/0x70 [ib_core]
...

This occurs because vmw_pvrdma on probe stores a pointer to the netdev
that exists on function 0 of the same bus/device/slot (which represents
the vmxnet3 ethernet driver).  However, it never removes this pointer if
the vmxnet3 module is removed, leading to crashes resulting from use after
free dereferencing incidents like the one above.

The fix is pretty straightforward.  vmw_pvrdma should listen for
NETDEV_REGISTER and NETDEV_UNREGISTER events in its event listener code
block, and update the stored netdev pointer accordingly.  This solution
has been tested by myself and the reporter with successful results.  This
fix also allows the pvrdma driver to find its underlying ethernet device
in the event that vmxnet3 is loaded after pvrdma, which it was not able to
do before.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: ruquin@redhat.com
Tested-by: Adit Ranadive <aditr@vmware.com>
Acked-by: Adit Ranadive <aditr@vmware.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-07-03 15:52:31 -06:00
..
Kconfig
Makefile RDMA/vmw_pvrdma: Add shared receive queue support 2017-11-13 16:18:33 -05:00
pvrdma_cmd.c
pvrdma_cq.c RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file 2018-02-15 15:31:28 -07:00
pvrdma_dev_api.h RDMA/vmw_pvrdma: Add shared receive queue support 2017-11-13 16:18:33 -05:00
pvrdma_doorbell.c
pvrdma_main.c vmw_pvrdma: Release netdev when vmxnet3 module is removed 2018-07-03 15:52:31 -06:00
pvrdma_misc.c RDMA/vmw_pvrdma: Add RoCEv2 support 2017-08-24 17:34:57 -04:00
pvrdma_mr.c RDMA/vmw_pvrdma: Do not re-calculate npages 2017-12-11 16:19:42 -07:00
pvrdma_qp.c RDMA/pvrdma: Properly annotate QP states 2018-03-14 15:34:25 -04:00
pvrdma_ring.h IB/pvrdma: Remove unused function 2017-08-22 15:42:57 -04:00
pvrdma_srq.c RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file 2018-02-15 15:31:28 -07:00
pvrdma_verbs.c IB/core: add max_send_sge and max_recv_sge attributes 2018-06-18 13:17:28 -06:00
pvrdma_verbs.h RDMA/vmw_pvrdma: Add shared receive queue support 2017-11-13 16:18:33 -05:00
pvrdma.h RDMA/vmw_pvrdma: Delete unused function 2018-06-27 15:08:49 -06:00