| Message ID | 20240712175318.166811-1-michael.chan@broadcom.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f7ce5eb2cb7993e4417642ac28713a063123461f |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] bnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring() | expand |
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Fri, 12 Jul 2024 10:53:18 -0700 you wrote: > On older chips not supporting multiple RSS contexts, reducing > ethtool channels will crash: > > BUG: kernel NULL pointer dereference, address: 00000000000000b8 > PGD 0 P4D 0 > Oops: Oops: 0000 [#1] PREEMPT SMP PTI > CPU: 1 PID: 7032 Comm: ethtool Tainted: G S 6.10.0-rc4 #1 > Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 > RIP: 0010:bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en] > Code: c3 d3 eb 4c 8b 83 38 01 00 00 48 8d bb 38 01 00 00 4c 39 c7 74 42 41 8d 54 24 ff 31 c0 0f b7 d2 4c 8d 4c 12 02 66 85 ed 74 1d <49> 8b 90 b8 00 00 00 49 8d 34 11 0f b7 0a 66 39 c8 0f 42 c1 48 83 > RSP: 0018:ffffaaa501d23ba8 EFLAGS: 00010202 > RAX: 0000000000000000 RBX: ffff8efdf600c940 RCX: 0000000000000000 > RDX: 000000000000007f RSI: ffffffffacf429c4 RDI: ffff8efdf600ca78 > RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000100 > R10: 0000000000000001 R11: ffffaaa501d238c0 R12: 0000000000000080 > R13: 0000000000000000 R14: ffff8efdf600c000 R15: 0000000000000006 > FS: 00007f977a7d2740(0000) GS:ffff8f041f840000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000000000b8 CR3: 00000002320aa004 CR4: 00000000003706f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > ? __die_body+0x15/0x60 > ? page_fault_oops+0x157/0x440 > ? do_user_addr_fault+0x60/0x770 > ? _raw_spin_lock_irqsave+0x12/0x40 > ? exc_page_fault+0x61/0x120 > ? asm_exc_page_fault+0x22/0x30 > ? bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en] > ? bnxt_get_max_rss_ctx_ring+0x25/0x90 [bnxt_en] > bnxt_set_channels+0x9d/0x340 [bnxt_en] > ethtool_set_channels+0x14b/0x210 > __dev_ethtool+0xdf8/0x2890 > ? preempt_count_add+0x6a/0xa0 > ? percpu_counter_add_batch+0x23/0x90 > ? filemap_map_pages+0x417/0x4a0 > ? avc_has_extended_perms+0x185/0x420 > ? __pfx_udp_ioctl+0x10/0x10 > ? sk_ioctl+0x55/0xf0 > ? kmalloc_trace_noprof+0xe0/0x210 > ? dev_ethtool+0x54/0x170 > dev_ethtool+0xa2/0x170 > dev_ioctl+0xbe/0x530 > sock_do_ioctl+0xa3/0xf0 > sock_ioctl+0x20d/0x2e0 > > [...] Here is the summary with links: - [net] bnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring() https://git.kernel.org/netdev/net/c/f7ce5eb2cb79 You are awesome, thank you!
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 64b61a8d426d..43952689bfb0 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -6151,6 +6151,9 @@ u16 bnxt_get_max_rss_ctx_ring(struct bnxt *bp) u16 i, tbl_size, max_ring = 0; struct bnxt_rss_ctx *rss_ctx; + if (!BNXT_SUPPORTS_MULTI_RSS_CTX(bp)) + return 0; + tbl_size = bnxt_get_rxfh_indir_size(bp->dev); list_for_each_entry(rss_ctx, &bp->rss_ctx_list, list) {
On older chips not supporting multiple RSS contexts, reducing ethtool channels will crash: BUG: kernel NULL pointer dereference, address: 00000000000000b8 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 7032 Comm: ethtool Tainted: G S 6.10.0-rc4 #1 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en] Code: c3 d3 eb 4c 8b 83 38 01 00 00 48 8d bb 38 01 00 00 4c 39 c7 74 42 41 8d 54 24 ff 31 c0 0f b7 d2 4c 8d 4c 12 02 66 85 ed 74 1d <49> 8b 90 b8 00 00 00 49 8d 34 11 0f b7 0a 66 39 c8 0f 42 c1 48 83 RSP: 0018:ffffaaa501d23ba8 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff8efdf600c940 RCX: 0000000000000000 RDX: 000000000000007f RSI: ffffffffacf429c4 RDI: ffff8efdf600ca78 RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000100 R10: 0000000000000001 R11: ffffaaa501d238c0 R12: 0000000000000080 R13: 0000000000000000 R14: ffff8efdf600c000 R15: 0000000000000006 FS: 00007f977a7d2740(0000) GS:ffff8f041f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b8 CR3: 00000002320aa004 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body+0x15/0x60 ? page_fault_oops+0x157/0x440 ? do_user_addr_fault+0x60/0x770 ? _raw_spin_lock_irqsave+0x12/0x40 ? exc_page_fault+0x61/0x120 ? asm_exc_page_fault+0x22/0x30 ? bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en] ? bnxt_get_max_rss_ctx_ring+0x25/0x90 [bnxt_en] bnxt_set_channels+0x9d/0x340 [bnxt_en] ethtool_set_channels+0x14b/0x210 __dev_ethtool+0xdf8/0x2890 ? preempt_count_add+0x6a/0xa0 ? percpu_counter_add_batch+0x23/0x90 ? filemap_map_pages+0x417/0x4a0 ? avc_has_extended_perms+0x185/0x420 ? __pfx_udp_ioctl+0x10/0x10 ? sk_ioctl+0x55/0xf0 ? kmalloc_trace_noprof+0xe0/0x210 ? dev_ethtool+0x54/0x170 dev_ethtool+0xa2/0x170 dev_ioctl+0xbe/0x530 sock_do_ioctl+0xa3/0xf0 sock_ioctl+0x20d/0x2e0 bp->rss_ctx_list is not initialized if the chip or firmware does not support multiple RSS contexts. Fix it by adding a check in bnxt_get_max_rss_ctx_ring() before proceeding to reference bp->rss_ctx_list. Fixes: 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count with active RSS contexts") Reported-by: Breno Leitao <leitao@debian.org> Link: https://lore.kernel.org/netdev/ZpFEJeNpwxW1aW9k@gmail.com/ Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ 1 file changed, 3 insertions(+)