From: Julian Wiedmann <jwi@linux.ibm.com>
Subject: s390/qeth: conclude all event processing before offlining a card
Patch-mainline: v5.0-rc6
Git-commit: c0a2e4d10d9366ada133a8ae4ff2f32397f8b15b
References: LTC#175901, bsc#1127567
Description: qeth: conclude all event processing before offlining a card
Symptom: Undefined behaviour when a qeth device is in Bridgeport mode
and eligible to receive associated events
(Address Change Notifications, State Change Notifications).
Problem: Work for Bridgeport events is currently placed on a
driver-wide workqueue. If the card is removed and freed while
any such work is still active, this causes a use-after-free.
Solution: Put the events on a per-card queue, where we can control
their lifetime. As we also don't want stale events to last
beyond an offline & online cycle, flush this queue when
setting the card offline.
Reproduction: -
Upstream-Description:
s390/qeth: conclude all event processing before offlining a card
Work for Bridgeport events is currently placed on a driver-wide
workqueue. If the card is removed and freed while any such work is still
active, this causes a use-after-free.
So put the events on a per-card queue, where we can control their
lifetime. As we also don't want stale events to last beyond an
offline & online cycle, flush this queue when setting the card offline.
Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Acked-by: Denis Kirjanov <dkirjanov@suse.com>
---
drivers/s390/net/qeth_core.h | 2 +-
drivers/s390/net/qeth_core_main.c | 14 ++++++++++----
drivers/s390/net/qeth_l2_main.c | 6 ++++--
drivers/s390/net/qeth_l3_main.c | 2 ++
4 files changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -806,6 +806,7 @@ struct qeth_card {
struct qeth_seqno seqno;
struct qeth_card_options options;
+ struct workqueue_struct *event_wq;
wait_queue_head_t wait_q;
spinlock_t vlanlock;
spinlock_t mclock;
@@ -922,7 +923,6 @@ extern const struct attribute_group *qet
extern const struct attribute_group qeth_device_attr_group;
extern const struct attribute_group qeth_device_blkt_group;
extern const struct device_type qeth_generic_devtype;
-extern struct workqueue_struct *qeth_wq;
int qeth_card_hw_is_reachable(struct qeth_card *);
const char *qeth_get_cardname_short(struct qeth_card *);
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -75,8 +75,7 @@ static void qeth_notify_skbs(struct qeth
static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf);
static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int);
-struct workqueue_struct *qeth_wq;
-EXPORT_SYMBOL_GPL(qeth_wq);
+static struct workqueue_struct *qeth_wq;
int qeth_card_hw_is_reachable(struct qeth_card *card)
{
@@ -1513,7 +1512,7 @@ static void qeth_core_sl_print(struct se
CARD_BUS_ID(card), card->info.mcl_level);
}
-static struct qeth_card *qeth_alloc_card(void)
+static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev)
{
struct qeth_card *card;
@@ -1522,6 +1521,10 @@ static struct qeth_card *qeth_alloc_card
if (!card)
goto out;
QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
+
+ card->event_wq = alloc_ordered_workqueue("%s", 0, dev_name(&gdev->dev));
+ if (!card->event_wq)
+ goto out_wq;
if (qeth_setup_channel(&card->read))
goto out_ip;
if (qeth_setup_channel(&card->write))
@@ -1534,6 +1537,8 @@ static struct qeth_card *qeth_alloc_card
out_channel:
qeth_clean_channel(&card->read);
out_ip:
+ destroy_workqueue(card->event_wq);
+out_wq:
kfree(card);
out:
return NULL;
@@ -5053,6 +5058,7 @@ static void qeth_core_free_card(struct q
QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
qeth_clean_channel(&card->read);
qeth_clean_channel(&card->write);
+ destroy_workqueue(card->event_wq);
qeth_free_qdio_buffers(card);
unregister_service_level(&card->qeth_service_level);
kfree(card);
@@ -5719,7 +5725,7 @@ static int qeth_core_probe_device(struct
QETH_DBF_TEXT_(SETUP, 2, "%s", dev_name(&gdev->dev));
- card = qeth_alloc_card();
+ card = qeth_alloc_card(gdev);
if (!card) {
QETH_DBF_TEXT_(SETUP, 2, "1err%d", -ENOMEM);
rc = -ENOMEM;
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -442,6 +442,8 @@ static void qeth_l2_stop_card(struct qet
qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write);
}
+
+ flush_workqueue(card->event_wq);
}
static int qeth_l2_process_inbound_buffer(struct qeth_card *card,
@@ -1624,7 +1626,7 @@ static void qeth_bridge_state_change(str
data->card = card;
memcpy(&data->qports, qports,
sizeof(struct qeth_sbp_state_change) + extrasize);
- queue_work(qeth_wq, &data->worker);
+ queue_work(card->event_wq, &data->worker);
}
struct qeth_bridge_host_data {
@@ -1696,7 +1698,7 @@ static void qeth_bridge_host_event(struc
data->card = card;
memcpy(&data->hostevs, hostevs,
sizeof(struct qeth_ipacmd_addr_change) + extrasize);
- queue_work(qeth_wq, &data->worker);
+ queue_work(card->event_wq, &data->worker);
}
/* SETBRIDGEPORT support; sending commands */
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -1912,6 +1912,8 @@ static void qeth_l3_stop_card(struct qet
qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write);
}
+
+ flush_workqueue(card->event_wq);
}
/*