From 1724f7913cd2f4dd09b0c28419dcbebe7ca5beb7 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Mar 29 2024 06:00:08 +0000 Subject: Merge branch 'SLE15-SP6-GA' into ALP-current-GA --- diff --git a/patches.suse/net-bnx2x-Prevent-access-to-a-freed-page-in-page_poo.patch b/patches.suse/net-bnx2x-Prevent-access-to-a-freed-page-in-page_poo.patch new file mode 100644 index 0000000..84c3537 --- /dev/null +++ b/patches.suse/net-bnx2x-Prevent-access-to-a-freed-page-in-page_poo.patch @@ -0,0 +1,82 @@ +From: Thinh Tran +Date: Fri, 15 Mar 2024 15:55:35 -0500 +Subject: net/bnx2x: Prevent access to a freed page in page_pool +Patch-mainline: v6.9-rc1 +Git-commit: d27e2da94a42655861ca4baea30c8cd65546f25d +References: bsc#1215322 + +Fix race condition leading to system crash during EEH error handling + +During EEH error recovery, the bnx2x driver's transmit timeout logic +could cause a race condition when handling reset tasks. The +bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), +which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() +SGEs are freed using bnx2x_free_rx_sge_range(). However, this could +overlap with the EEH driver's attempt to reset the device using +bnx2x_io_slot_reset(), which also tries to free SGEs. This race +condition can result in system crashes due to accessing freed memory +locations in bnx2x_free_rx_sge() + +799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, +800 struct bnx2x_fastpath *fp, u16 index) +801 { +802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; +803 struct page *page = sw_buf->page; +.... +where sw_buf was set to NULL after the call to dma_unmap_page() +by the preceding thread. + + EEH: Beginning: 'slot_reset' + PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() + bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... + bnx2x 0011:01:00.0: enabling device (0140 -> 0142) + bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc0080000025065fc + Oops: Kernel access of bad area, sig: 11 [#1] + ..... + Call Trace: + [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) + [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 + [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 + [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 + [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 + [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 + [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 + +To solve this issue, we need to verify page pool allocations before +freeing. + +Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element") +Signed-off-by: Thinh Tran +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1002,9 +1002,6 @@ static inline void bnx2x_set_fw_mac_addr + static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp, + struct bnx2x_alloc_pool *pool) + { +- if (!pool->page) +- return; +- + put_page(pool->page); + + pool->page = NULL; +@@ -1015,6 +1012,9 @@ static inline void bnx2x_free_rx_sge_ran + { + int i; + ++ if (!fp->page_pool.page) ++ return; ++ + if (fp->mode == TPA_MODE_DISABLED) + return; + diff --git a/series.conf b/series.conf index ea10daf..41b82c1 100644 --- a/series.conf +++ b/series.conf @@ -20053,6 +20053,7 @@ patches.suse/uio_dmem_genirq-uio_mem_dma_coherent-conversion.patch patches.suse/kbuild-Use-fmin-function-alignment-when-available.patch patches.suse/net-sched-Add-module-alias-for-sch_fq_pie.patch + patches.suse/net-bnx2x-Prevent-access-to-a-freed-page-in-page_poo.patch ######################################################## # end of sorted patches