diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:07:16 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-29 13:07:16 +0200 |
commit | f02474429394b562e048299d4fae169e60c0e656 (patch) | |
tree | b00e4534199f58ed8349df39c785ba7bb16a5dc4 | |
parent | ec2dd3dacf444b8266c1f46b1124775cd6443205 (diff) | |
download | stable-queue-f02474429394b562e048299d4fae169e60c0e656.tar.gz |
5.10-stable patches
added patches:
net-mlx5e-fix-a-race-in-command-alloc-flow.patch
tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch
tracing-show-size-of-requested-perf-buffer.patch
4 files changed, 244 insertions, 0 deletions
diff --git a/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch b/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch new file mode 100644 index 0000000000..845f3008b2 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-a-race-in-command-alloc-flow.patch @@ -0,0 +1,122 @@ +From 8f5100da56b3980276234e812ce98d8f075194cd Mon Sep 17 00:00:00 2001 +From: Shifeng Li <lishifeng@sangfor.com.cn> +Date: Sat, 2 Dec 2023 00:01:26 -0800 +Subject: net/mlx5e: Fix a race in command alloc flow + +From: Shifeng Li <lishifeng@sangfor.com.cn> + +commit 8f5100da56b3980276234e812ce98d8f075194cd upstream. + +Fix a cmd->ent use after free due to a race on command entry. +Such race occurs when one of the commands releases its last refcount and +frees its index and entry while another process running command flush +flow takes refcount to this command entry. The process which handles +commands flush may see this command as needed to be flushed if the other +process allocated a ent->idx but didn't set ent to cmd->ent_arr in +cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into +the spin lock. + +[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361 +[70013.081968] +[70013.082028] Workqueue: events aer_isr +[70013.082053] Call Trace: +[70013.082067] dump_stack+0x8b/0xbb +[70013.082086] print_address_description+0x6a/0x270 +[70013.082102] kasan_report+0x179/0x2c0 +[70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core] +[70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core] +[70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core] +[70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core] +[70013.082377] remove_one+0x200/0x2b0 [mlx5_core] +[70013.082409] pci_device_remove+0xf3/0x280 +[70013.082439] device_release_driver_internal+0x1c3/0x470 +[70013.082453] pci_stop_bus_device+0x109/0x160 +[70013.082468] pci_stop_and_remove_bus_device+0xe/0x20 +[70013.082485] pcie_do_fatal_recovery+0x167/0x550 +[70013.082493] aer_isr+0x7d2/0x960 +[70013.082543] process_one_work+0x65f/0x12d0 +[70013.082556] worker_thread+0x87/0xb50 +[70013.082571] kthread+0x2e9/0x3a0 +[70013.082592] ret_from_fork+0x1f/0x40 + +The logical relationship of this error is as follows: + + aer_recover_work | ent->work +-------------------------------------------+------------------------------ +aer_recover_work_func | +|- pcie_do_recovery | + |- report_error_detected | + |- mlx5_pci_err_detected |cmd_work_handler + |- mlx5_enter_error_state | |- cmd_alloc_index + |- enter_error_state | |- lock cmd->alloc_lock + |- mlx5_cmd_flush | |- clear_bit + |- mlx5_cmd_trigger_completions| |- unlock cmd->alloc_lock + |- lock cmd->alloc_lock | + |- vector = ~dev->cmd.vars.bitmask + |- for_each_set_bit | + |- cmd_ent_get(cmd->ent_arr[i]) (UAF) + |- unlock cmd->alloc_lock | |- cmd->ent_arr[ent->idx]=ent + +The cmd->ent_arr[ent->idx] assignment and the bit clearing are not +protected by the cmd->alloc_lock in cmd_work_handler(). + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Reviewed-by: Moshe Shemesh <moshe@nvidia.com> +Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn> +Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> +Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -114,15 +114,18 @@ static u8 alloc_token(struct mlx5_cmd *c + return token; + } + +-static int cmd_alloc_index(struct mlx5_cmd *cmd) ++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent) + { + unsigned long flags; + int ret; + + spin_lock_irqsave(&cmd->alloc_lock, flags); + ret = find_first_bit(&cmd->bitmask, cmd->max_reg_cmds); +- if (ret < cmd->max_reg_cmds) ++ if (ret < cmd->max_reg_cmds) { + clear_bit(ret, &cmd->bitmask); ++ ent->idx = ret; ++ cmd->ent_arr[ent->idx] = ent; ++ } + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + + return ret < cmd->max_reg_cmds ? ret : -ENOMEM; +@@ -912,7 +915,7 @@ static void cmd_work_handler(struct work + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +- alloc_ret = cmd_alloc_index(cmd); ++ alloc_ret = cmd_alloc_index(cmd, ent); + if (alloc_ret < 0) { + mlx5_core_err_rl(dev, "failed to allocate command entry\n"); + if (ent->callback) { +@@ -927,15 +930,14 @@ static void cmd_work_handler(struct work + up(sem); + return; + } +- ent->idx = alloc_ret; + } else { + ent->idx = cmd->max_reg_cmds; + spin_lock_irqsave(&cmd->alloc_lock, flags); + clear_bit(ent->idx, &cmd->bitmask); ++ cmd->ent_arr[ent->idx] = ent; + spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + +- cmd->ent_arr[ent->idx] = ent; + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); diff --git a/queue-5.10/series b/queue-5.10/series index 7a9cc83fed..8cdd2fcab2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -107,3 +107,6 @@ af_unix-suppress-false-positive-lockdep-splat-for-sp.patch serial-core-provide-port-lock-wrappers.patch serial-mxs-auart-add-spinlock-around-changing-cts-st.patch revert-crypto-api-disallow-identical-driver-names.patch +net-mlx5e-fix-a-race-in-command-alloc-flow.patch +tracing-show-size-of-requested-perf-buffer.patch +tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch diff --git a/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch b/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch new file mode 100644 index 0000000000..50d821c58b --- /dev/null +++ b/queue-5.10/tracing-increase-perf_max_trace_size-to-handle-sentinel1-and-docker-together.patch @@ -0,0 +1,85 @@ +From e531e90b5ab0f7ce5ff298e165214c1aec6ed187 Mon Sep 17 00:00:00 2001 +From: "Robin H. Johnson" <robbat2@gentoo.org> +Date: Mon, 30 Aug 2021 21:37:23 -0700 +Subject: tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together + +From: Robin H. Johnson <robbat2@gentoo.org> + +commit e531e90b5ab0f7ce5ff298e165214c1aec6ed187 upstream. + +Running endpoint security solutions like Sentinel1 that use perf-based +tracing heavily lead to this repeated dump complaining about dockerd. +The default value of 2048 is nowhere near not large enough. + +Using the prior patch "tracing: show size of requested buffer", we get +"perf buffer not large enough, wanted 6644, have 6144", after repeated +up-sizing (I did 2/4/6/8K). With 8K, the problem doesn't occur at all, +so below is the trace for 6K. + +I'm wondering if this value should be selectable at boot time, but this +is a good starting point. + +``` +------------[ cut here ]------------ +perf buffer not large enough, wanted 6644, have 6144 +WARNING: CPU: 1 PID: 4997 at kernel/trace/trace_event_perf.c:402 perf_trace_buf_alloc+0x8c/0xa0 +Modules linked in: [..] +CPU: 1 PID: 4997 Comm: sh Tainted: G T 5.13.13-x86_64-00039-gb3959163488e #63 +Hardware name: LENOVO 20KH002JUS/20KH002JUS, BIOS N23ET66W (1.41 ) 09/02/2019 +RIP: 0010:perf_trace_buf_alloc+0x8c/0xa0 +Code: 80 3d 43 97 d0 01 00 74 07 31 c0 5b 5d 41 5c c3 ba 00 18 00 00 89 ee 48 c7 c7 00 82 7d 91 c6 05 25 97 d0 01 01 e8 22 ee bc 00 <0f> 0b 31 c0 eb db 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 89 +RSP: 0018:ffffb922026b7d58 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff9da5ee012000 RCX: 0000000000000027 +RDX: ffff9da881657828 RSI: 0000000000000001 RDI: ffff9da881657820 +RBP: 00000000000019f4 R08: 0000000000000000 R09: ffffb922026b7b80 +R10: ffffb922026b7b78 R11: ffffffff91dda688 R12: 000000000000000f +R13: ffff9da5ee012108 R14: ffff9da8816570a0 R15: ffffb922026b7e30 +FS: 00007f420db1a080(0000) GS:ffff9da881640000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000060 CR3: 00000002504a8006 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + kprobe_perf_func+0x11e/0x270 + ? do_execveat_common.isra.0+0x1/0x1c0 + ? do_execveat_common.isra.0+0x5/0x1c0 + kprobe_ftrace_handler+0x10e/0x1d0 + 0xffffffffc03aa0c8 + ? do_execveat_common.isra.0+0x1/0x1c0 + do_execveat_common.isra.0+0x5/0x1c0 + __x64_sys_execve+0x33/0x40 + do_syscall_64+0x6b/0xc0 + ? do_syscall_64+0x11/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f420dc1db37 +Code: ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00 00 f7 d8 64 41 89 00 eb dc 0f 1f 84 00 00 00 00 00 b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 43 0f 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffd4e8b4e38 EFLAGS: 00000246 ORIG_RAX: 000000000000003b +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f420dc1db37 +RDX: 0000564338d1e740 RSI: 0000564338d32d50 RDI: 0000564338d28f00 +RBP: 0000564338d28f00 R08: 0000564338d32d50 R09: 0000000000000020 +R10: 00000000000001b6 R11: 0000000000000246 R12: 0000564338d28f00 +R13: 0000564338d32d50 R14: 0000564338d1e740 R15: 0000564338d28c60 +---[ end trace 83ab3e8e16275e49 ]--- +``` + +Link: https://lkml.kernel.org/r/20210831043723.13481-2-robbat2@gentoo.org + +Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/trace_events.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -577,7 +577,7 @@ struct trace_event_file { + } \ + early_initcall(trace_init_perf_perm_##name); + +-#define PERF_MAX_TRACE_SIZE 2048 ++#define PERF_MAX_TRACE_SIZE 8192 + + #define MAX_FILTER_STR_VAL 256U /* Should handle KSYM_SYMBOL_LEN */ + diff --git a/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch b/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch new file mode 100644 index 0000000000..0c6a736e71 --- /dev/null +++ b/queue-5.10/tracing-show-size-of-requested-perf-buffer.patch @@ -0,0 +1,34 @@ +From a90afe8d020da9298c98fddb19b7a6372e2feb45 Mon Sep 17 00:00:00 2001 +From: "Robin H. Johnson" <robbat2@gentoo.org> +Date: Mon, 30 Aug 2021 21:37:22 -0700 +Subject: tracing: Show size of requested perf buffer + +From: Robin H. Johnson <robbat2@gentoo.org> + +commit a90afe8d020da9298c98fddb19b7a6372e2feb45 upstream. + +If the perf buffer isn't large enough, provide a hint about how large it +needs to be for whatever is running. + +Link: https://lkml.kernel.org/r/20210831043723.13481-1-robbat2@gentoo.org + +Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> +--- + kernel/trace/trace_event_perf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_event_perf.c ++++ b/kernel/trace/trace_event_perf.c +@@ -400,7 +400,8 @@ void *perf_trace_buf_alloc(int size, str + BUILD_BUG_ON(PERF_MAX_TRACE_SIZE % sizeof(unsigned long)); + + if (WARN_ONCE(size > PERF_MAX_TRACE_SIZE, +- "perf buffer not large enough")) ++ "perf buffer not large enough, wanted %d, have %d", ++ size, PERF_MAX_TRACE_SIZE)) + return NULL; + + *rctxp = rctx = perf_swevent_get_recursion_context(); |