| Message ID | 20231006111139.1560132-1-mschmidt@redhat.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] i40e: prevent crash on probe if hw registers have invalid values | expand |
On Fri, Oct 06, 2023 at 01:11:39PM +0200, Michal Schmidt wrote: > The hardware provides the indexes of the first and the last available > queue and VF. From the indexes, the driver calculates the numbers of > queues and VFs. In theory, a faulty device might say the last index is > smaller than the first index. In that case, the driver's calculation > would underflow, it would attempt to write to non-existent registers > outside of the ioremapped range and crash. > > I ran into this not by having a faulty device, but by an operator error. > I accidentally ran a QE test meant for i40e devices on an ice device. > The test used 'echo i40e > /sys/...ice PCI device.../driver_override', > bound the driver to the device and crashed in one of the wr32 calls in > i40e_clear_hw. > > Add checks to prevent underflows in the calculations of num_queues and > num_vfs. With this fix, the wrong device probing reports errors and > returns a failure without crashing. > > Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts") > Signed-off-by: Michal Schmidt <mschmidt@redhat.com> Reviewed-by: Simon Horman <horms@kernel.org>
> -----Original Message----- > From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of Michal Schmidt > Sent: Friday, October 6, 2023 4:42 PM > To: intel-wired-lan@lists.osuosl.org > Cc: Brandeburg, Jesse <jesse.brandeburg@intel.com>; netdev@vger.kernel.org; Nguyen, Anthony L <anthony.l.nguyen@intel.com>; Jeff Kirsher <jeffrey.t.kirsher@intel.com>; Shannon Nelson <shannon.nelson@amd.com> > Subject: [Intel-wired-lan] [PATCH net] i40e: prevent crash on probe if hw registers have invalid values > > The hardware provides the indexes of the first and the last available > queue and VF. From the indexes, the driver calculates the numbers of > queues and VFs. In theory, a faulty device might say the last index is > smaller than the first index. In that case, the driver's calculation > would underflow, it would attempt to write to non-existent registers > outside of the ioremapped range and crash. > > I ran into this not by having a faulty device, but by an operator error. > I accidentally ran a QE test meant for i40e devices on an ice device. > The test used 'echo i40e > /sys/...ice PCI device.../driver_override', > bound the driver to the device and crashed in one of the wr32 calls in > i40e_clear_hw. > > Add checks to prevent underflows in the calculations of num_queues and > num_vfs. With this fix, the wrong device probing reports errors and > returns a failure without crashing. > > Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts") > Signed-off-by: Michal Schmidt <mschmidt@redhat.com> > --- > drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c index eeef20f77106..1b493854f522 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_common.c +++ b/drivers/net/ethernet/intel/i40e/i40e_common.c @@ -1082,7 +1082,7 @@ void i40e_clear_hw(struct i40e_hw *hw) I40E_PFLAN_QALLOC_FIRSTQ_SHIFT; j = (val & I40E_PFLAN_QALLOC_LASTQ_MASK) >> I40E_PFLAN_QALLOC_LASTQ_SHIFT; - if (val & I40E_PFLAN_QALLOC_VALID_MASK) + if (val & I40E_PFLAN_QALLOC_VALID_MASK && j >= base_queue) num_queues = (j - base_queue) + 1; else num_queues = 0; @@ -1092,7 +1092,7 @@ void i40e_clear_hw(struct i40e_hw *hw) I40E_PF_VT_PFALLOC_FIRSTVF_SHIFT; j = (val & I40E_PF_VT_PFALLOC_LASTVF_MASK) >> I40E_PF_VT_PFALLOC_LASTVF_SHIFT; - if (val & I40E_PF_VT_PFALLOC_VALID_MASK) + if (val & I40E_PF_VT_PFALLOC_VALID_MASK && j >= i) num_vfs = (j - i) + 1; else num_vfs = 0;
The hardware provides the indexes of the first and the last available queue and VF. From the indexes, the driver calculates the numbers of queues and VFs. In theory, a faulty device might say the last index is smaller than the first index. In that case, the driver's calculation would underflow, it would attempt to write to non-existent registers outside of the ioremapped range and crash. I ran into this not by having a faulty device, but by an operator error. I accidentally ran a QE test meant for i40e devices on an ice device. The test used 'echo i40e > /sys/...ice PCI device.../driver_override', bound the driver to the device and crashed in one of the wr32 calls in i40e_clear_hw. Add checks to prevent underflows in the calculations of num_queues and num_vfs. With this fix, the wrong device probing reports errors and returns a failure without crashing. Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts") Signed-off-by: Michal Schmidt <mschmidt@redhat.com> --- drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)