Commit b3e343cd authored by Souradeep Chakrabarti's avatar Souradeep Chakrabarti Committed by Wang Liang
Browse files

net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup 

stable inclusion
from stable-v6.6.51
commit 9e0bff4900b5d412a9bafe4baeaa6facd34f671c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYEO
CVE: CVE-2024-46784

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9e0bff4900b5d412a9bafe4baeaa6facd34f671c



--------------------------------

commit b6ecc662037694488bfff7c9fd21c405df8411f2 upstream.

Currently napi_disable() gets called during rxq and txq cleanup,
even before napi is enabled and hrtimer is initialized. It causes
kernel panic.

? page_fault_oops+0x136/0x2b0
  ? page_counter_cancel+0x2e/0x80
  ? do_user_addr_fault+0x2f2/0x640
  ? refill_obj_stock+0xc4/0x110
  ? exc_page_fault+0x71/0x160
  ? asm_exc_page_fault+0x27/0x30
  ? __mmdrop+0x10/0x180
  ? __mmdrop+0xec/0x180
  ? hrtimer_active+0xd/0x50
  hrtimer_try_to_cancel+0x2c/0xf0
  hrtimer_cancel+0x15/0x30
  napi_disable+0x65/0x90
  mana_destroy_rxq+0x4c/0x2f0
  mana_create_rxq.isra.0+0x56c/0x6d0
  ? mana_uncfg_vport+0x50/0x50
  mana_alloc_queues+0x21b/0x320
  ? skb_dequeue+0x5f/0x80

Cc: stable@vger.kernel.org
Fixes: e1b5683f ("net: mana: Move NAPI from EQ to CQ")
Signed-off-by: default avatarSouradeep Chakrabarti <schakrabarti@linux.microsoft.com>
Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: default avatarShradha Gupta <shradhagupta@linux.microsoft.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWang Liang <wangliang74@huawei.com>
parent e8927e05

drivers/net/ethernet/microsoft/mana/mana_en.c

+13 −9
Original line number Diff line number Diff line
@@ -1854,10 +1854,12 @@ static void mana_destroy_txq(struct mana_port_context *apc) 


	for (i = 0; i < apc->num_queues; i++) {

		napi = &apc->tx_qp[i].tx_cq.napi;

		if (apc->tx_qp[i].txq.napi_initialized) {

			napi_synchronize(napi);

			napi_disable(napi);

			netif_napi_del(napi);



			apc->tx_qp[i].txq.napi_initialized = false;

		}

		mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);



		mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq);
@@ -1913,6 +1915,7 @@ static int mana_create_txq(struct mana_port_context *apc, 
		txq->ndev = net;

		txq->net_txq = netdev_get_tx_queue(net, i);

		txq->vp_offset = apc->tx_vp_offset;

		txq->napi_initialized = false;

		skb_queue_head_init(&txq->pending_skbs);



		memset(&spec, 0, sizeof(spec));
@@ -1979,6 +1982,7 @@ static int mana_create_txq(struct mana_port_context *apc, 


		netif_napi_add_tx(net, &cq->napi, mana_poll);

		napi_enable(&cq->napi);

		txq->napi_initialized = true;



		mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);

	}
@@ -1990,7 +1994,7 @@ static int mana_create_txq(struct mana_port_context *apc, 
}



static void mana_destroy_rxq(struct mana_port_context *apc,

			     struct mana_rxq *rxq, bool validate_state)

			     struct mana_rxq *rxq, bool napi_initialized)



{

	struct gdma_context *gc = apc->ac->gdma_dev->gdma_context;
@@ -2005,14 +2009,14 @@ static void mana_destroy_rxq(struct mana_port_context *apc, 


	napi = &rxq->rx_cq.napi;



	if (validate_state)

	if (napi_initialized) {

		napi_synchronize(napi);



		napi_disable(napi);



	xdp_rxq_info_unreg(&rxq->xdp_rxq);



		netif_napi_del(napi);

	}

	xdp_rxq_info_unreg(&rxq->xdp_rxq);



	mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);

include/net/mana/mana.h

+2 −0
Original line number Diff line number Diff line
@@ -97,6 +97,8 @@ struct mana_txq { 


	atomic_t pending_sends;



	bool napi_initialized;



	struct mana_stats_tx stats;

};