| Message ID | 20241029094259.77738-1-wojciech.drewek@intel.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] ice: Fix NULL pointer dereference in switchdev | expand |
On Tue, Oct 29, 2024 at 10:42:59AM +0100, Wojciech Drewek wrote: > Commit ("virtchnl: support queue rate limit and quanta size It would be nice to include 12 characters of sha1 hash immediately after "Commit". > configuration") introduced new virtchnl ops: > - get_qos_caps > - cfg_q_bw > - cfg_q_quanta > > New ops were added to ice_virtchnl_dflt_ops but not to the > ice_virtchnl_repr_ops. Because of that, if we get one of those > messages in switchdev mode we end up with NULL pointer dereference: > > [ 1199.794701] BUG: kernel NULL pointer dereference, address: 0000000000000000 > [ 1199.794804] Workqueue: ice ice_service_task [ice] > [ 1199.794878] RIP: 0010:0x0 > [ 1199.795027] Call Trace: > [ 1199.795033] <TASK> > [ 1199.795039] ? __die+0x20/0x70 > [ 1199.795051] ? page_fault_oops+0x140/0x520 > [ 1199.795064] ? exc_page_fault+0x7e/0x270 > [ 1199.795074] ? asm_exc_page_fault+0x22/0x30 > [ 1199.795086] ice_vc_process_vf_msg+0x6e5/0xd30 [ice] > [ 1199.795165] __ice_clean_ctrlq+0x734/0x9d0 [ice] > [ 1199.795207] ice_service_task+0xccf/0x12b0 [ice] > [ 1199.795248] process_one_work+0x21a/0x620 > [ 1199.795260] worker_thread+0x18d/0x330 > [ 1199.795269] ? __pfx_worker_thread+0x10/0x10 > [ 1199.795279] kthread+0xec/0x120 > [ 1199.795288] ? __pfx_kthread+0x10/0x10 > [ 1199.795296] ret_from_fork+0x2d/0x50 > [ 1199.795305] ? __pfx_kthread+0x10/0x10 > [ 1199.795312] ret_from_fork_asm+0x1a/0x30 > [ 1199.795323] </TASK> It seems that the cited commit is present in net-next but not Linus's tree. But, regardless, I think a Fixes tag is warranted. > > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> > Signed-off-by: Wojciech Drewek <wojciech.drewek@intel.com> The fix itself looks good to me, thanks. Reviewed-by: Simon Horman <horms@kernel.org> ...
> -----Original Message----- > From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of > Wojciech Drewek > Sent: Tuesday, October 29, 2024 3:13 PM > To: intel-wired-lan@lists.osuosl.org > Cc: netdev@vger.kernel.org > Subject: [Intel-wired-lan] [PATCH net-next] ice: Fix NULL pointer dereference > in switchdev > > Commit ("virtchnl: support queue rate limit and quanta size > configuration") introduced new virtchnl ops: > - get_qos_caps > - cfg_q_bw > - cfg_q_quanta > > New ops were added to ice_virtchnl_dflt_ops but not to the > ice_virtchnl_repr_ops. Because of that, if we get one of those messages in > switchdev mode we end up with NULL pointer dereference: > > [ 1199.794701] BUG: kernel NULL pointer dereference, address: > 0000000000000000 [ 1199.794804] Workqueue: ice ice_service_task [ice] [ > 1199.794878] RIP: 0010:0x0 [ 1199.795027] Call Trace: > [ 1199.795033] <TASK> > [ 1199.795039] ? __die+0x20/0x70 > [ 1199.795051] ? page_fault_oops+0x140/0x520 [ 1199.795064] ? > exc_page_fault+0x7e/0x270 [ 1199.795074] ? > asm_exc_page_fault+0x22/0x30 [ 1199.795086] > ice_vc_process_vf_msg+0x6e5/0xd30 [ice] [ 1199.795165] > __ice_clean_ctrlq+0x734/0x9d0 [ice] [ 1199.795207] > ice_service_task+0xccf/0x12b0 [ice] [ 1199.795248] > process_one_work+0x21a/0x620 [ 1199.795260] > worker_thread+0x18d/0x330 [ 1199.795269] ? > __pfx_worker_thread+0x10/0x10 [ 1199.795279] kthread+0xec/0x120 [ > 1199.795288] ? __pfx_kthread+0x10/0x10 [ 1199.795296] > ret_from_fork+0x2d/0x50 [ 1199.795305] ? __pfx_kthread+0x10/0x10 [ > 1199.795312] ret_from_fork_asm+0x1a/0x30 [ 1199.795323] </TASK> > > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> > Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> > Signed-off-by: Wojciech Drewek <wojciech.drewek@intel.com> > --- > drivers/net/ethernet/intel/ice/ice_virtchnl.c | 6 ++++++ > 1 file changed, 6 insertions(+) > Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c index f445e33b2028..ff4ad788d96a 100644 --- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c +++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c @@ -4128,6 +4128,9 @@ static const struct ice_virtchnl_ops ice_virtchnl_dflt_ops = { .get_qos_caps = ice_vc_get_qos_caps, .cfg_q_bw = ice_vc_cfg_q_bw, .cfg_q_quanta = ice_vc_cfg_q_quanta, + /* If you add a new op here please make sure to add it to + * ice_virtchnl_repr_ops as well. + */ }; /** @@ -4258,6 +4261,9 @@ static const struct ice_virtchnl_ops ice_virtchnl_repr_ops = { .dis_vlan_stripping_v2_msg = ice_vc_dis_vlan_stripping_v2_msg, .ena_vlan_insertion_v2_msg = ice_vc_ena_vlan_insertion_v2_msg, .dis_vlan_insertion_v2_msg = ice_vc_dis_vlan_insertion_v2_msg, + .get_qos_caps = ice_vc_get_qos_caps, + .cfg_q_bw = ice_vc_cfg_q_bw, + .cfg_q_quanta = ice_vc_cfg_q_quanta, }; /**
Commit ("virtchnl: support queue rate limit and quanta size configuration") introduced new virtchnl ops: - get_qos_caps - cfg_q_bw - cfg_q_quanta New ops were added to ice_virtchnl_dflt_ops but not to the ice_virtchnl_repr_ops. Because of that, if we get one of those messages in switchdev mode we end up with NULL pointer dereference: [ 1199.794701] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1199.794804] Workqueue: ice ice_service_task [ice] [ 1199.794878] RIP: 0010:0x0 [ 1199.795027] Call Trace: [ 1199.795033] <TASK> [ 1199.795039] ? __die+0x20/0x70 [ 1199.795051] ? page_fault_oops+0x140/0x520 [ 1199.795064] ? exc_page_fault+0x7e/0x270 [ 1199.795074] ? asm_exc_page_fault+0x22/0x30 [ 1199.795086] ice_vc_process_vf_msg+0x6e5/0xd30 [ice] [ 1199.795165] __ice_clean_ctrlq+0x734/0x9d0 [ice] [ 1199.795207] ice_service_task+0xccf/0x12b0 [ice] [ 1199.795248] process_one_work+0x21a/0x620 [ 1199.795260] worker_thread+0x18d/0x330 [ 1199.795269] ? __pfx_worker_thread+0x10/0x10 [ 1199.795279] kthread+0xec/0x120 [ 1199.795288] ? __pfx_kthread+0x10/0x10 [ 1199.795296] ret_from_fork+0x2d/0x50 [ 1199.795305] ? __pfx_kthread+0x10/0x10 [ 1199.795312] ret_from_fork_asm+0x1a/0x30 [ 1199.795323] </TASK> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> Signed-off-by: Wojciech Drewek <wojciech.drewek@intel.com> --- drivers/net/ethernet/intel/ice/ice_virtchnl.c | 6 ++++++ 1 file changed, 6 insertions(+)