From: Kevin Traynor <ktraynor@redhat.com>
To: Huisong Li <lihuisong@huawei.com>
Cc: Min Hu <humin29@huawei.com>,
Ferruh Yigit <ferruh.yigit@intel.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'kni: fix freeing order in device release' has been queued to stable release 21.11.1
Date: Tue, 1 Mar 2022 10:43:00 +0000 [thread overview]
Message-ID: <20220301104300.334382-104-ktraynor@redhat.com> (raw)
In-Reply-To: <20220301104300.334382-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to stable release 21.11.1
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/06/22. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/e253ba61da1e047ea2061d4ec700d32e9f43db48
Thanks.
Kevin
---
From e253ba61da1e047ea2061d4ec700d32e9f43db48 Mon Sep 17 00:00:00 2001
From: Huisong Li <lihuisong@huawei.com>
Date: Wed, 9 Feb 2022 15:35:25 +0800
Subject: [PATCH] kni: fix freeing order in device release
[ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ]
The "kni_dev" is the private data of the "net_device" in kni, and allocated
with the "net_device" by calling "alloc_netdev()". The "net_device" is
freed by calling "free_netdev()" when kni release. The freed memory
includes the "kni_dev". So after "kni_dev" should not be accessed after
"net_device" is released.
Fixes: e77fec694936 ("kni: fix possible mbuf leaks and speed up port release")
KASAN trace:
[ 85.263717] ==========================================================
[ 85.264418] BUG: KASAN: use-after-free in kni_net_release_fifo_phy+
0x30/0x84 [rte_kni]
[ 85.265139] Read of size 8 at addr ffff000260668d60 by task kni/341
[ 85.265703]
[ 85.265857] CPU: 0 PID: 341 Comm: kni Tainted: G U O
5.15.0-rc4+ #1
[ 85.266525] Hardware name: linux,dummy-virt (DT)
[ 85.266968] Call trace:
[ 85.267220] dump_backtrace+0x0/0x2d0
[ 85.267591] show_stack+0x24/0x30
[ 85.267924] dump_stack_lvl+0x8c/0xb8
[ 85.268294] print_address_description.constprop.0+0x74/0x2b8
[ 85.268855] kasan_report+0x1e4/0x200
[ 85.269224] __asan_load8+0x98/0xd4
[ 85.269577] kni_net_release_fifo_phy+0x30/0x84 [rte_kni]
[ 85.270116] kni_dev_remove.isra.0+0x50/0x64 [rte_kni]
[ 85.270630] kni_ioctl_release+0x254/0x320 [rte_kni]
[ 85.271136] kni_ioctl+0x64/0xb0 [rte_kni]
[ 85.271553] __arm64_sys_ioctl+0xdc/0x120
[ 85.271955] invoke_syscall+0x68/0x1a0
[ 85.272332] el0_svc_common.constprop.0+0x90/0x200
[ 85.272807] do_el0_svc+0x94/0xa4
[ 85.273144] el0_svc+0x78/0x240
[ 85.273463] el0t_64_sync_handler+0x1a8/0x1b0
[ 85.273895] el0t_64_sync+0x1a0/0x1a4
[ 85.274264]
[ 85.274427] Allocated by task 341:
[ 85.274767] kasan_save_stack+0x2c/0x60
[ 85.275157] __kasan_kmalloc+0x90/0xb4
[ 85.275533] __kmalloc_node+0x230/0x594
[ 85.275917] kvmalloc_node+0x8c/0x190
[ 85.276286] alloc_netdev_mqs+0x70/0x6b0
[ 85.276678] kni_ioctl_create+0x224/0xf40 [rte_kni]
[ 85.277166] kni_ioctl+0x9c/0xb0 [rte_kni]
[ 85.277581] __arm64_sys_ioctl+0xdc/0x120
[ 85.277980] invoke_syscall+0x68/0x1a0
[ 85.278357] el0_svc_common.constprop.0+0x90/0x200
[ 85.278830] do_el0_svc+0x94/0xa4
[ 85.279172] el0_svc+0x78/0x240
[ 85.279491] el0t_64_sync_handler+0x1a8/0x1b0
[ 85.279925] el0t_64_sync+0x1a0/0x1a4
[ 85.280292]
[ 85.280454] Freed by task 341:
[ 85.280763] kasan_save_stack+0x2c/0x60
[ 85.281147] kasan_set_track+0x2c/0x40
[ 85.281522] kasan_set_free_info+0x2c/0x50
[ 85.281930] __kasan_slab_free+0xdc/0x140
[ 85.282331] slab_free_freelist_hook+0x90/0x250
[ 85.282782] kfree+0x128/0x580
[ 85.283099] kvfree+0x48/0x60
[ 85.283402] netdev_freemem+0x34/0x44
[ 85.283770] netdev_release+0x50/0x64
[ 85.284138] device_release+0xa0/0x120
[ 85.284516] kobject_put+0xf8/0x160
[ 85.284867] put_device+0x20/0x30
[ 85.285204] free_netdev+0x22c/0x310
[ 85.285562] kni_dev_remove.isra.0+0x48/0x64 [rte_kni]
[ 85.286076] kni_ioctl_release+0x254/0x320 [rte_kni]
[ 85.286573] kni_ioctl+0x64/0xb0 [rte_kni]
[ 85.286992] __arm64_sys_ioctl+0xdc/0x120
[ 85.287392] invoke_syscall+0x68/0x1a0
[ 85.287769] el0_svc_common.constprop.0+0x90/0x200
[ 85.288243] do_el0_svc+0x94/0xa4
[ 85.288579] el0_svc+0x78/0x240
[ 85.288899] el0t_64_sync_handler+0x1a8/0x1b0
[ 85.289332] el0t_64_sync+0x1a0/0x1a4
[ 85.289699]
[ 85.289862] The buggy address belongs to the object at ffff000260668000
[ 85.289862] which belongs to the cache kmalloc-cg-8k of size 8192
[ 85.291079] The buggy address is located 3424 bytes inside of
[ 85.291079] 8192-byte region [ffff000260668000, ffff00026066a000)
[ 85.292213] The buggy address belongs to the page:
[ 85.292684] page:(____ptrval____) refcount:1 mapcount:0 mapping:
0000000000000000 index:0x0 pfn:0x2a0668
[ 85.293585] head:(____ptrval____) order:3 compound_mapcount:0
compound_pincount:0
[ 85.294305] flags: 0xbfff80000010200(slab|head|node=0|zone=2|
lastcpupid=0x7fff)
[ 85.295020] raw: 0bfff80000010200 0000000000000000 dead000000000122
ffff0000c000d680
[ 85.295767] raw: 0000000000000000 0000000080020002 00000001ffffffff
0000000000000000
[ 85.296512] page dumped because: kasan: bad access detected
[ 85.297054]
[ 85.297217] Memory state around the buggy address:
[ 85.297688] ffff000260668c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 85.298384] ffff000260668c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 85.299088] >ffff000260668d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 85.299781] ^
[ 85.300396] ffff000260668d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 85.301092] ffff000260668e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 85.301787] ===========================================================
Signed-off-by: Huisong Li <lihuisong@huawei.com>
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
---
kernel/linux/kni/kni_misc.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/kernel/linux/kni/kni_misc.c b/kernel/linux/kni/kni_misc.c
index f10dcd069d..ad1582d911 100644
--- a/kernel/linux/kni/kni_misc.c
+++ b/kernel/linux/kni/kni_misc.c
@@ -185,4 +185,10 @@ kni_dev_remove(struct kni_dev *dev)
return -ENODEV;
+ /*
+ * The memory of kni device is allocated and released together
+ * with net device. Release mbuf before freeing net device.
+ */
+ kni_net_release_fifo_phy(dev);
+
if (dev->net_dev) {
unregister_netdev(dev->net_dev);
@@ -190,6 +196,4 @@ kni_dev_remove(struct kni_dev *dev)
}
- kni_net_release_fifo_phy(dev);
-
return 0;
}
@@ -221,6 +225,6 @@ kni_release(struct inode *inode, struct file *file)
}
- kni_dev_remove(dev);
list_del(&dev->list);
+ kni_dev_remove(dev);
}
up_write(&knet->kni_list_lock);
@@ -471,6 +475,6 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
}
- kni_dev_remove(dev);
list_del(&dev->list);
+ kni_dev_remove(dev);
ret = 0;
break;
--
2.34.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2022-03-01 10:41:04.176198173 +0000
+++ 0104-kni-fix-freeing-order-in-device-release.patch 2022-03-01 10:41:01.486244135 +0000
@@ -1 +1 @@
-From d57f2899e29a74fffeb876863e1f570084d6437b Mon Sep 17 00:00:00 2001
+From e253ba61da1e047ea2061d4ec700d32e9f43db48 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ]
+
@@ -13 +14,0 @@
-Cc: stable@dpdk.org
@@ -124 +125 @@
-index ec70190042..780187d8bf 100644
+index f10dcd069d..ad1582d911 100644
@@ -127 +128 @@
-@@ -183,4 +183,10 @@ kni_dev_remove(struct kni_dev *dev)
+@@ -185,4 +185,10 @@ kni_dev_remove(struct kni_dev *dev)
@@ -138 +139 @@
-@@ -188,6 +194,4 @@ kni_dev_remove(struct kni_dev *dev)
+@@ -190,6 +196,4 @@ kni_dev_remove(struct kni_dev *dev)
@@ -145 +146 @@
-@@ -219,6 +223,6 @@ kni_release(struct inode *inode, struct file *file)
+@@ -221,6 +225,6 @@ kni_release(struct inode *inode, struct file *file)
@@ -153 +154 @@
-@@ -469,6 +473,6 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
+@@ -471,6 +475,6 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
prev parent reply other threads:[~2022-03-01 10:46 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-01 10:41 patch 'dmadev: add missing header include' " Kevin Traynor
2022-03-01 10:41 ` patch 'eal: add missing C++ guards' " Kevin Traynor
2022-03-01 10:41 ` patch 'telemetry: " Kevin Traynor
2022-03-01 10:41 ` patch 'ethdev: " Kevin Traynor
2022-03-01 10:41 ` patch 'metrics: " Kevin Traynor
2022-03-01 10:41 ` patch 'acl: " Kevin Traynor
2022-03-01 10:41 ` patch 'compressdev: " Kevin Traynor
2022-03-01 10:41 ` patch 'eventdev: " Kevin Traynor
2022-03-01 10:41 ` patch 'kni: " Kevin Traynor
2022-03-01 10:41 ` patch 'vhost: " Kevin Traynor
2022-03-01 10:41 ` patch 'bpf: " Kevin Traynor
2022-03-01 10:41 ` patch 'cryptodev: " Kevin Traynor
2022-03-01 10:41 ` patch 'ethdev: fix cast for C++ compatibility' " Kevin Traynor
2022-03-01 10:41 ` patch 'dma/hisilicon: use common PCI device naming' " Kevin Traynor
2022-03-01 10:41 ` patch 'test/dma: fix missing checks for device capacity' " Kevin Traynor
2022-03-01 10:41 ` patch 'dma/idxd: configure maximum batch size to high value' " Kevin Traynor
2022-03-01 10:41 ` patch 'doc: improve configuration examples in idxd guide' " Kevin Traynor
2022-03-01 10:41 ` patch 'examples/qos_sched: fix core mask overflow' " Kevin Traynor
2022-03-01 18:28 ` Ajmera, Megha
2022-03-01 10:41 ` patch 'eventdev/eth_rx: fix parameters parsing memory leak' " Kevin Traynor
2022-03-01 10:41 ` patch 'eventdev/eth_rx: fix queue config query' " Kevin Traynor
2022-03-01 10:41 ` patch 'event/dlb2: update rolling mask used for dequeue' " Kevin Traynor
2022-03-01 10:41 ` patch 'event/dlb2: poll HW CQ inflights before mapping queue' " Kevin Traynor
2022-03-01 10:41 ` patch 'event/cnxk: fix variables casting' " Kevin Traynor
2022-03-01 10:41 ` patch 'event/cnxk: fix uninitialized local variables' " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/ipsec_mb: remove useless check' " Kevin Traynor
2022-03-01 10:41 ` patch 'cryptodev: fix RSA key type name' " Kevin Traynor
2022-03-01 10:41 ` patch 'examples/ipsec-secgw: fix buffer freeing in vector mode' " Kevin Traynor
2022-03-01 10:41 ` patch 'doc: fix FIPS guide' " Kevin Traynor
2022-03-01 10:41 ` patch 'examples/l2fwd-crypto: fix port mask overflow' " Kevin Traynor
2022-03-01 10:41 ` patch 'baseband/acc100: avoid out-of-bounds access' " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/virtio: fix " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/ipsec_mb: check missing operation types' " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/ipsec_mb: fix ZUC authentication verify' " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/ipsec_mb: fix ZUC operation overwrite' " Kevin Traynor
2022-03-01 10:41 ` patch 'crypto/ipsec_mb: fix length and offset settings' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/nfb: fix array indexes in deinit functions' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/nfb: fix multicast/promiscuous mode switching' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/ixgbe: reset security context pointer on close' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/txgbe: " Kevin Traynor
2022-03-01 10:41 ` patch 'net/iavf: reset security context pointer on stop' " Kevin Traynor
2022-03-01 10:41 ` patch 'ethdev: fix MAC address in telemetry device info' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/cnxk: fix mbuf data length' " Kevin Traynor
2022-03-01 10:41 ` patch 'net/bonding: fix slaves initializing on MTU setting' " Kevin Traynor
2022-03-01 10:42 ` patch 'app/testpmd: check starting port is not in bonding' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: fix flow deletion' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: fix log level during MCAM allocation' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: fix base rule merge' " Kevin Traynor
2022-03-01 10:42 ` patch 'vhost: fix field naming in guest page struct' " Kevin Traynor
2022-03-01 10:42 ` patch 'vhost: fix unsafe vring addresses modifications' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: fix NPC key extraction validation' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/af_xdp: add missing trailing newline in logs' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: add missing checks of return values' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk fix unintended sign extension' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/cnxk: fix uninitialized pointer read' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: fix uninitialized local variable' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/sfc_efx/base: fix recirculation ID set in outer rules' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/sfc_efx/base: add missing handler for 1-byte fields' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/sfc: fix flow tunnel support detection' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/sfc: fix memory allocation size for cache' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/af_xdp: ensure socket is deleted on Rx queue setup error' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ice: fix overwriting of LSE bit by DCF' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/iavf: fix segmentation offload condition' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/iavf: fix segmentation offload buffer size' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/i40e: enable maximum frame size at port level' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix sibling device config check' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix ineffective metadata argument adjustment' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix ASO CT object release' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix errno update in shared context creation' " Kevin Traynor
2022-03-01 10:42 ` patch 'app/testpmd: fix GENEVE parsing in checksum mode' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ngbe: fix debug logs' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/txgbe: " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: remove unused enumeration' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: remove unused offload variables' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: skip timer if reset is triggered' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: fix reset reason being overwritten' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: fix meta descriptor DF flag setup' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: check memory BAR before initializing LLQ' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/ena: fix checksum flag for L4' " Kevin Traynor
2022-03-01 10:42 ` patch 'common/mlx5: fix queue pair ack timeout configuration' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: set flow error for hash list create' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: remove unused function' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix meter sub-policy creation' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix entry in shared Rx queues list' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/mlx5: fix E-Switch manager vport ID' " Kevin Traynor
2022-03-01 10:42 ` patch 'doc: remove obsolete vector Tx explanations from mlx5 guide' " Kevin Traynor
2022-03-01 10:42 ` patch 'doc: replace broken links in mlx guides' " Kevin Traynor
2022-03-01 10:42 ` patch 'doc: correct name of BlueField-2 in mlx5 guide' " Kevin Traynor
2022-03-01 10:42 ` patch 'mempool/cnxk: fix batch allocation failure path' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: fix inline device RQ tag mask' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: register callback early to handle initial packets' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: fix inline IPsec security error handling' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: fix build with GCC 12' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/cnxk: fix RSS RETA table update' " Kevin Traynor
2022-03-01 10:42 ` patch 'net/i40e: fix unintentional integer overflow' " Kevin Traynor
2022-03-01 10:42 ` patch 'app/testpmd: fix raw encap of GENEVE option' " Kevin Traynor
2022-03-01 10:42 ` patch 'app/testpmd: fix build without drivers' " Kevin Traynor
2022-03-01 10:42 ` patch 'doc: add CUDA driver features' " Kevin Traynor
2022-03-01 10:42 ` patch 'test/efd: fix sockets mask size' " Kevin Traynor
2022-03-01 10:42 ` patch 'efd: fix uninitialized structure' " Kevin Traynor
2022-03-01 10:42 ` patch 'distributor: fix potential overflow' " Kevin Traynor
2022-03-01 10:42 ` patch 'eal/linux: fix illegal memory access in uevent handler' " Kevin Traynor
2022-03-01 10:42 ` patch 'devargs: fix crash with uninitialized parsing' " Kevin Traynor
2022-03-01 10:42 ` patch 'bus/pci: assign driver pointer before mapping' " Kevin Traynor
2022-03-01 10:43 ` Kevin Traynor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220301104300.334382-104-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=ferruh.yigit@intel.com \
--cc=humin29@huawei.com \
--cc=lihuisong@huawei.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).