diff options
author | Huazhong Tan <tanhuazhong@huawei.com> | 2019-09-05 21:31:37 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-09-06 15:20:34 +0200 |
commit | 323a2ac52227c20f3387ea1cd16c04a844cd1ea1 (patch) | |
tree | 2a8c7e9e6a6ab4548a9d6ed2cf46e90967caaa6c /drivers/net/ethernet/hisilicon/hns3 | |
parent | d9c0f2756a33833b2653f7a3612814fa5f52a568 (diff) | |
download | linux-323a2ac52227c20f3387ea1cd16c04a844cd1ea1.tar.gz linux-323a2ac52227c20f3387ea1cd16c04a844cd1ea1.tar.bz2 linux-323a2ac52227c20f3387ea1cd16c04a844cd1ea1.zip |
net: hns3: fix double free bug when setting ringparam
The system will panic when change the ringparam in HNS3 drivers:
[ 1459.627727] hns3 0000:bd:00.0 eth6: Changing Tx/Rx ring ds from 1024/1024 to 24/24
[ 1459.635766] hns3 0000:bd:00.0 eth6: link down
[ 1459.640788] BUG: Bad page state in process ethtool pfn:203f75c18
[ 1459.646940] page:ffff7ee4ffd70600 refcount:0 mapcount:0 mapping:ffff993fff40f400 index:0x0 compound_mapcount: 0
[ 1459.656987] flags: 0x9fffe00000010200(slab|head)
[ 1459.661591] raw: 9fffe00000010200 dead000000000100 dead000000000122 ffff993fff40f400
[ 1459.669302] raw: 0000000000000000 0000000080100010 00000000ffffffff 0000000000000000
[ 1459.677016] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 1459.683432] bad because of flags: 0x200(slab)
[ 1459.687775] Modules linked in: ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi hns_roce_hw_v2 crct10dif_ce hns3 ses hclge hnae3 hisi_hpre hisi_zip qm uacce ip_tables x_tables hisi_sas_v3_hw hisi_sas_main libsas scsi_transport_sas
[ 1459.709329] CPU: 14 PID: 17244 Comm: ethtool Tainted: G O 5.3.0-rc4-00415-gc86f057 #1
[ 1459.718419] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B040.01 07/26/2019
[ 1459.727248] Call trace:
[ 1459.729688] dump_backtrace+0x0/0x150
[ 1459.733335] show_stack+0x24/0x30
[ 1459.736639] dump_stack+0xa0/0xc4
[ 1459.739943] bad_page+0xf0/0x158
[ 1459.743157] free_pages_check_bad+0x84/0xa0
[ 1459.747322] __free_pages_ok+0x348/0x378
[ 1459.751228] page_frag_free+0x80/0x88
[ 1459.754877] skb_free_head+0x38/0x48
[ 1459.758436] skb_release_data+0x134/0x160
[ 1459.762427] skb_release_all+0x30/0x40
[ 1459.766158] consume_skb+0x38/0x108
[ 1459.769633] __dev_kfree_skb_any+0x58/0x68
[ 1459.773718] hns3_fini_ring+0x48/0x58 [hns3]
[ 1459.777970] hns3_set_ringparam+0x2a8/0x418 [hns3]
[ 1459.782741] dev_ethtool+0x5f4/0x2080
[ 1459.786390] dev_ioctl+0x190/0x3d8
[ 1459.789777] sock_do_ioctl+0xf8/0x220
[ 1459.793423] sock_ioctl+0x3bc/0x490
[ 1459.796896] do_vfs_ioctl+0xc4/0x868
[ 1459.800454] ksys_ioctl+0x8c/0xa0
[ 1459.803752] __arm64_sys_ioctl+0x28/0x38
[ 1459.807658] el0_svc_common.constprop.0+0xe0/0x1e0
[ 1459.812426] el0_svc_handler+0x34/0x90
[ 1459.816158] el0_svc+0x10/0x14
[ 1459.819220] Disabling lock debugging due to kernel taint
[ 1459.825182] ------------[ cut here ]------------
Since ndo_stop will reclaim the RX's skb allocated by the driver,
so the backed up ring parameter should not keep this info.
Fixes: a723fb8efe29 ("net: hns3: refine for set ring parameters")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet/hisilicon/hns3')
-rw-r--r-- | drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c index c52eccc1621d..aa692b13b6f3 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c @@ -908,9 +908,11 @@ static struct hns3_enet_ring *hns3_backup_ringparam(struct hns3_nic_priv *priv) if (!tmp_rings) return NULL; - for (i = 0; i < handle->kinfo.num_tqps * 2; i++) + for (i = 0; i < handle->kinfo.num_tqps * 2; i++) { memcpy(&tmp_rings[i], priv->ring_data[i].ring, sizeof(struct hns3_enet_ring)); + tmp_rings[i].skb = NULL; + } return tmp_rings; } |