korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-18 03:44:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
554fe75c1b
linux/drivers/net
History
Dmytro Linkin 554fe75c1b net/mlx5e: Avoid duplicating rule destinations 
Following scenario easily break driver logic and crash the kernel:
1. Add rule with mirred actions to same device.
2. Delete this rule.
In described scenario rule is not added to database and on deletion
driver access invalid entry.
Example:

 $ tc filter add dev ens1f0_0 ingress protocol ip prio 1 \
       flower skip_sw \
       action mirred egress mirror dev ens1f0_1 pipe \
       action mirred egress redirect dev ens1f0_1
 $ tc filter del dev ens1f0_0 ingress protocol ip prio 1

Dmesg output:

[  376.634396] mlx5_core 0000:82:00.0: mlx5_cmd_check:756:(pid 3439): DESTROY_FLOW_GROUP(0x934) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0x563e2f)
[  376.654983] mlx5_core 0000:82:00.0: del_hw_flow_group:567:(pid 3439): flow steering can't destroy fg 89 of ft 3145728
[  376.673433] kasan: CONFIG_KASAN_INLINE enabled
[  376.683769] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  376.695229] general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
[  376.705069] CPU: 7 PID: 3439 Comm: tc Not tainted 5.4.0-rc5+ #76
[  376.714959] Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0a 08/12/2016
[  376.726371] RIP: 0010:mlx5_del_flow_rules+0x105/0x960 [mlx5_core]
[  376.735817] Code: 01 00 00 00 48 83 eb 08 e8 28 d9 ff ff 4c 39 e3 75 d8 4c 8d bd c0 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 84 04 00 00 48 8d 7d 28 8b 9 d
[  376.761261] RSP: 0018:ffff888847c56db8 EFLAGS: 00010202
[  376.770054] RAX: dffffc0000000000 RBX: ffff8888582a6da0 RCX: ffff888847c56d60
[  376.780743] RDX: 0000000000000058 RSI: 0000000000000008 RDI: 0000000000000282
[  376.791328] RBP: 0000000000000000 R08: fffffbfff0c60ea6 R09: fffffbfff0c60ea6
[  376.802050] R10: fffffbfff0c60ea5 R11: ffffffff8630752f R12: ffff8888582a6da0
[  376.812798] R13: dffffc0000000000 R14: ffff8888582a6da0 R15: 00000000000002c0
[  376.823445] FS:  00007f675f9a8840(0000) GS:ffff88886d200000(0000) knlGS:0000000000000000
[  376.834971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  376.844179] CR2: 00000000007d9640 CR3: 00000007d3f26003 CR4: 00000000001606e0
[  376.854843] Call Trace:
[  376.868542]  __mlx5_eswitch_del_rule+0x49/0x300 [mlx5_core]
[  376.877735]  mlx5e_tc_del_fdb_flow+0x6ec/0x9e0 [mlx5_core]
[  376.921549]  mlx5e_flow_put+0x2b/0x50 [mlx5_core]
[  376.929813]  mlx5e_delete_flower+0x5b6/0xbd0 [mlx5_core]
[  376.973030]  tc_setup_cb_reoffload+0x29/0xc0
[  376.980619]  fl_reoffload+0x50a/0x770 [cls_flower]
[  377.015087]  tcf_block_playback_offloads+0xbd/0x250
[  377.033400]  tcf_block_setup+0x1b2/0xc60
[  377.057247]  tcf_block_offload_cmd+0x195/0x240
[  377.098826]  tcf_block_offload_unbind+0xe7/0x180
[  377.107056]  __tcf_block_put+0xe5/0x400
[  377.114528]  ingress_destroy+0x3d/0x60 [sch_ingress]
[  377.122894]  qdisc_destroy+0xf1/0x5a0
[  377.129993]  qdisc_graft+0xa3d/0xe50
[  377.151227]  tc_get_qdisc+0x48e/0xa20
[  377.165167]  rtnetlink_rcv_msg+0x35d/0x8d0
[  377.199528]  netlink_rcv_skb+0x11e/0x340
[  377.219638]  netlink_unicast+0x408/0x5b0
[  377.239913]  netlink_sendmsg+0x71b/0xb30
[  377.267505]  sock_sendmsg+0xb1/0xf0
[  377.273801]  ___sys_sendmsg+0x635/0x900
[  377.312784]  __sys_sendmsg+0xd3/0x170
[  377.338693]  do_syscall_64+0x95/0x460
[  377.344833]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  377.352321] RIP: 0033:0x7f675e58e090

To avoid this, for every mirred action check if output device was
already processed. If so - drop rule with EOPNOTSUPP error.

Signed-off-by: Dmytro Linkin <dmitrolin@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
2020-01-06 15:30:03 -08:00
..
appletalk
arcnet
bonding bonding: fix active-backup transition after link failure 2019-12-14 16:22:34 -08:00
caif Driver core patches for 5.5-rc1 2019-11-27 11:06:20 -08:00
can can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode 2020-01-02 15:34:27 +01:00
dsa net: dsa: mv88e6xxx: Preserve priority when setting CPU port. 2020-01-06 13:35:11 -08:00
ethernet net/mlx5e: Avoid duplicating rule destinations 2020-01-06 15:30:03 -08:00
fddi
fjes Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
hamradio 6pack,mkiss: fix possible deadlock 2019-12-13 21:49:29 -08:00
hippi
hyperv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
ieee802154 drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
ipvlan
netdevsim netdevsim: Update dummy reporter's devlink binary interface 2019-11-12 11:25:44 -08:00
phy net: phylink: fix failure to register on x86 systems 2020-01-03 12:37:55 -08:00
plip
ppp pppoe: remove redundant BUG_ON() check in pppoe_pernet 2019-12-07 11:52:23 -08:00
slip slip: Fix use-after-free Read in slip_open 2019-11-25 11:02:52 -08:00
team
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
vmxnet3
wan net: wan: sdla: Fix cast from pointer to integer of different size 2020-01-06 13:30:03 -08:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
xen-netback xen-netback: avoid race that can lead to NULL pointer dereference 2019-12-15 11:40:15 -08:00
dummy.c net: dummy: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
eql.c
geneve.c treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
gtp.c gtp: do not confirm neighbor when do pmtu update 2019-12-24 22:28:54 -08:00
ifb.c
Kconfig drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
LICENSE.SRC
loopback.c net: use u64_stats_t in struct pcpu_lstats 2019-11-07 20:03:08 -08:00
macsec.c
macvlan.c macvlan: schedule bc_work even if error 2019-11-25 10:54:22 -08:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c net: nlmon: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: fix data-race in gro_normal_list() 2019-11-15 12:46:49 -08:00
veth.c veth: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
virtio_net.c bpf: Convert bpf_prog refcnt to atomic64_t 2019-11-18 11:41:59 +01:00
vrf.c
vsockmon.c vsockmon: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
vxlan.c vxlan: fix tos value before xmit 2020-01-02 16:35:48 -08:00
xen-netfront.c