From patchwork Fri Dec 2 18:25:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 29054 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1009628wrr; Fri, 2 Dec 2022 10:27:13 -0800 (PST) X-Google-Smtp-Source: AA0mqf6+NW2vEnyhajX6BnvA1PcSbx8OMdIdW1J+x3jXEk7jAyTUTbDxJXVWf36shuptYNrpqxU9 X-Received: by 2002:a63:4f25:0:b0:478:3376:5561 with SMTP id d37-20020a634f25000000b0047833765561mr20478329pgb.618.1670005632843; Fri, 02 Dec 2022 10:27:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670005632; cv=none; d=google.com; s=arc-20160816; b=Bze398tDKPbCbAn32Wo2lsFYvli466KfFz3YyNemy+8pD6LaER8C6d75hO9TR5TVw3 jku79wmf/RH6GZAFoODp0yBRPj6rZr7SqmR2bIJnOoJzwjE6UaMFix+cPjccbVEiBgZI B36C0/3othDudUWq6Pt5a19ZnspAnFkZ5CNpkfY3zjRIf2qFrJur2xIReNbj89l/8992 FS9UnuhcbpOFoLv5bRWKvmw3js1PEIpgtNM9fyeT707KmtBity5V2xWJOb7Pjko/eyzr zkEClmdZzeciXDY2uTicojfHnkWvOpqU8WCQndx6JwwyZI1zgDoIfS9NeqG8JVUCSJYf b1/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=l1HxRbS84l67z0qMeUciNAryaCY2+g5SCxblioJJB9w=; b=y7mZ9dggdnQc9dq59RLuBryuKagaeM/V8nwn5R+ht9HIpYcjmAuuEttHojbmgEP9X6 /idGtUUm28h1chrqZbOSGstgpwc2VeKNbs9bwq05kWiLQcquINQw0y+zuH08fPVC6C87 Ss2ew8vYU9mksyJ3HdG+ntDDlwroLp+wP2+uY0x5ZwVcDTQZu854XDBoXe0Md5KieOvf kt/cjChcUE4uFDjXGG6vgyiAP47S0h5lODuDH/u/PSqKHZGaaGmqlAlgG/2GZVz0GDjm ahk//c4+uwtdhSnZiZVbACjKMNpd62ghsmdSrzH4SZTX6KSJs46VBX9MBu7zd4MIJ178 vMzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="b6JUWx/1"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a6-20020a170902900600b001898141f0edsi7378658plp.159.2022.12.02.10.26.59; Fri, 02 Dec 2022 10:27:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="b6JUWx/1"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234401AbiLBSZX (ORCPT + 99 others); Fri, 2 Dec 2022 13:25:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234385AbiLBSZQ (ORCPT ); Fri, 2 Dec 2022 13:25:16 -0500 Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4334DD80DC; Fri, 2 Dec 2022 10:25:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670005516; x=1701541516; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vHVG1zmi+voAUhJdqIebJ6t9QgESsGvpHFArjS4/Pac=; b=b6JUWx/1AQi4NkezOdtZCRUEb63rxL/HALnt0JmmWU5bSvpXiQnoL8/h 947Gkej4q61BI7TpTa1vr6PsSGWuR8w/nX9CLCHvHsulQhsVZSdFmblHt Q8qf7/q1Sxs5VJEhiLxZwZT8BeSOUO35EyB8SfmvMF+RxaWbuCE8qB3kv u6TsVaebWv7CF6+PwOIsxN9xZ1kKXVZGS1njQ8I3rrqhii38avwlxkH5S gUwUTtEAZgoenoOb25iKW8YNJ0iAid8rkONEhjkVKohPyltrsxYFnA2Ed Q8jsi5qzZcUHnAzId3gqIaBfM+3QBU0sKGDczufPmNu8OU4Exj6n4sov3 g==; X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="378166715" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="378166715" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="622786436" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="622786436" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH 1/3] dmaengine: idxd: Let probe fail when workqueue cannot be enabled Date: Fri, 2 Dec 2022 10:25:04 -0800 Message-Id: <1e74e8d74255ff47271c4c9eada7635676ccd320.1670005163.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751127826591091265?= X-GMAIL-MSGID: =?utf-8?q?1751127826591091265?= The workqueue is enabled when the appropriate driver is loaded and disabled when the driver is removed. When the driver is removed it assumes that the workqueue was enabled successfully and proceeds to free allocations made during workqueue enabling. Failure during workqueue enabling does not prevent the driver from being loaded. This is because the error path within drv_enable_wq() returns success unless a second failure is encountered during the error path. By returning success it is possible to load the driver even if the workqueue cannot be enabled and allocations that do not exist are attempted to be freed during driver remove. Some examples of problematic flows: (a) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_unmap_portal() is called on error exit path, but drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The driver is thus loaded successfully. idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal() Above flow on driver unload triggers the WARN in devm_iounmap() because the device resource has already been removed during error path of drv_enable_wq(). (b) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_init_percpu_ref() is never called to initialize the percpu counter, yet the driver loads successfully because drv_enable_wq() returns 0. idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill(): Above flow on driver unload triggers a BUG when attempting to drop the initial ref of the uninitialized percpu ref: BUG: kernel NULL pointer dereference, address: 0000000000000010 Fix the drv_enable_wq() error path by returning the original error that indicates failure of workqueue enabling. This ensures that the probe fails when an error is encountered and the driver remove paths are only attempted when the workqueue was enabled successfully. Fixes: 1f2bb40337f0 ("dmaengine: idxd: move wq_enable() to device.c") Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu --- drivers/dma/idxd/device.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index 6f44fa8f78a5..fcd03d29a941 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1391,8 +1391,7 @@ int drv_enable_wq(struct idxd_wq *wq) err_irq: idxd_wq_unmap_portal(wq); err_map_portal: - rc = idxd_wq_disable(wq, false); - if (rc < 0) + if (idxd_wq_disable(wq, false)) dev_dbg(dev, "wq %s disable failed\n", dev_name(wq_confdev(wq))); err: return rc; From patchwork Fri Dec 2 18:25:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 29055 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1009764wrr; Fri, 2 Dec 2022 10:27:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf6T7c0mS/t+VeDQMWrtoz0wK3Pg2zqUHG14lQAlNoNTGaAWj4kB2FgxNQAgbuU0vfwHr3l1 X-Received: by 2002:a17:902:7006:b0:181:b55a:f987 with SMTP id y6-20020a170902700600b00181b55af987mr54638757plk.67.1670005650903; Fri, 02 Dec 2022 10:27:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670005650; cv=none; d=google.com; s=arc-20160816; b=HOMyhMplpvRPLSQ4k/lTrJAeku7GriCFdLI8eUS8zZtuapg+8eQvqKfbpNhR7hBdiF ZbboOodHh7unnqYfISRWzQK53sCkEsoXm+q5AjKCX24St+ZpCk5uuO3i9vHEacw0qhIu 1ZzU1S5kqxp1j/FvAXNRPumA1emqUYQizak7IKpPafR9Kjasp7xGGS3dCkcDr0Nt6yWH uTzr33KT3SeOo/qjhd/itr38pV8w4dpWwEBeqHRCi4ZW6uFmf9UngkTUHXJ5sWqLA4hT l69KB4V4uuJjHJyyZgzJ4ZUbiPJhM5SzsxegPOFfxEr82NnnJzuLNJtIQ7g49s6x9y7p CRjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Mlm/qZcDgWLpVIQrvlzHGIHntTSPIcW5VR6RR8YwBQE=; b=srvZgHb5Zx2rPr2vT3fOMasnb2Q5stmPSm6BtHGWg4Vy/am1XzG7Gy9mE1lcOo4n1n XppYAPGrMD1C6+tS47bBJ2L5nY8f07NtU48IQZ+ORkBrrwwqQdM4HU6VzAcf+mGyWxUu QZVIeMLYBbwYd384HsQl+d+7Haqi9VfhmrxIKwJF2YAAmhCoObAcX3ZeaXTdSAlFroJ+ zrHxKcaWJ16dGZUBZJ8MFTCd5TtXIw4ofLbpO+afAwbw1qiylC/GNqhTc8yUKzsvIVIl l83hhu8ZkVUlXTPaQLgvdZH2LJTC0LUtNb75fFXyImRjhDEtJyDQ5Sc9orj2Ml78Q37s 3bzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=hXSgSOnY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a129-20020a636687000000b004781187a476si7429311pgc.578.2022.12.02.10.27.17; Fri, 02 Dec 2022 10:27:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=hXSgSOnY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234422AbiLBSZZ (ORCPT + 99 others); Fri, 2 Dec 2022 13:25:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56598 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234295AbiLBSZS (ORCPT ); Fri, 2 Dec 2022 13:25:18 -0500 Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FEA1D968C; Fri, 2 Dec 2022 10:25:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670005517; x=1701541517; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=DcNpbgzbhgDxbBHlo+d3SX0ORto3+aP3skhZTZ4ZTMg=; b=hXSgSOnY4hP0HNGYRFAYldou87uKicvA3lblLscr6hfdAAB4PvYoG9qO Ix8sTKFK9zjYwZ7+2PuHerXYeL/RUpsMhn8n5NJkVdw1sznHTG6j4BJ5J La8xmHgxFuyDQOPjB7fBFSOZHCJlHQ+NAJPT/o6Ce1BgA570n9iPjyALW 8CIprwxS7Gt+ueeW4FR/3fHEGfcG1CHjFtUsk0r4dEIrQvzM6AcRT4PVm j9WNxFkemYV5PgZo3kp6HTs5ojxOfXOmLnOc3BIxcrbGFVRH3kHXC+b6U d9eRh8wcaRdd5WhrKNFOPZ3g24B52XsOGEe9/eBQq0DMuE6ZQVXdQWu7I w==; X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="378166719" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="378166719" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="622786440" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="622786440" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH 2/3] dmaengine: idxd: Prevent use after free on completion memory Date: Fri, 2 Dec 2022 10:25:05 -0800 Message-Id: <96e5bcd4b97445227837c3a73e1a1abd93d26175.1670005163.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751127844995646535?= X-GMAIL-MSGID: =?utf-8?q?1751127844995646535?= On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device. Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations") Suggested-by: Dave Jiang Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu --- drivers/dma/idxd/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index fcd03d29a941..b4d7bb923a40 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq) dev_warn(dev, "Clients has claim on wq %d: %d\n", wq->id, idxd_wq_refcount(wq)); - idxd_wq_free_resources(wq); idxd_wq_unmap_portal(wq); idxd_wq_drain(wq); idxd_wq_free_irq(wq); idxd_wq_reset(wq); + idxd_wq_free_resources(wq); percpu_ref_exit(&wq->wq_active); wq->type = IDXD_WQT_NONE; wq->client_count = 0; From patchwork Fri Dec 2 18:25:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 29057 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1009969wrr; Fri, 2 Dec 2022 10:28:06 -0800 (PST) X-Google-Smtp-Source: AA0mqf7rdcU+bzOT1yTsemRVE4Y20weU295RDhfyV3BbBpYV3pF28U6+/51O4IlFSsqsl+u96cYK X-Received: by 2002:a17:906:f8cc:b0:7ad:92fa:589e with SMTP id lh12-20020a170906f8cc00b007ad92fa589emr43968933ejb.668.1670005686311; Fri, 02 Dec 2022 10:28:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670005686; cv=none; d=google.com; s=arc-20160816; b=cMzzC3ktfCHpAYPZuYo7OQ2grutijeU15WIdvIb1/f02MFkUEWAbS0oJeDTrIYtU7A LdYquixY3C0GEBzziJNpcHJbj3TZKDCzZ3wOMojbrjseCEUyfK6D70b85cSRo3i8hXGR U4L6AFymOT0FdNJhV5cn4JduBxuAnGRT38hdbCSJ48eyLNNR9UyIy3qZEQZwzeIWytdd HDhAruSFc64iR2EKqOE6nK8ChU4gVU2vr+qrdzDrENQ9eoEAT+72r8LXI1GSqDbMMObf SvrxOiUu66yHa82bTdQnE6Xmzk2MUHGw+sbLsBeRkAvB3Fxv1RFCgUPvfu0jbMoNHG2T wHQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=pFux7g0cPNGy81ZC3OE36XcaREIVtocdDJ7Rr6BEV6s=; b=shh7QrDoArt9ttCT62g+pNuklL2DdVWEOGMsNmV4Z+bqBP6awS3L0pITfz+w9QymLA 2AxKVR8oZsgiw0Kyaoze3KUeRrdDM67qVCrwwZJkOhBWk2uVHlKulVW+QxpZTOIY+vcb uDnUoiWi/UWC6GmdXFjVIv5+KiAH50LCV/q4JdY3+hRAHy5xCGRF9MOqi18g6TG+985f RXl3v00Noqdr2eCS86YZCKlVbK60ctpZbSMwk0EyWnIrcBC41YKB+3PA3IYkJ9BZ7/OQ oa1bK3ayb1KPyESJagRD4LNvIh4jeDuC2Rv+NhkyDWG1Hb3nol06QzMzJqqLnEuVgnoG E2lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ZKI9AiDf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z14-20020a05640240ce00b00468310367c5si965595edb.214.2022.12.02.10.27.42; Fri, 02 Dec 2022 10:28:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ZKI9AiDf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234433AbiLBSZ1 (ORCPT + 99 others); Fri, 2 Dec 2022 13:25:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234396AbiLBSZS (ORCPT ); Fri, 2 Dec 2022 13:25:18 -0500 Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 272B3D9697; Fri, 2 Dec 2022 10:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670005518; x=1701541518; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HnbQEP+pYHTspRPq2P1wRPnq956BiDmItso67GhhB1k=; b=ZKI9AiDf/LSV3VGC4Pv/MMYR+rRIy0Qhi0VO/kRXW6URhXRe/J4I1ZgW 5US4uOlQJf8qIiVuKv6TCezXVdhkpd935Ji6uneVXhzCszkxQBpCrFNKO Cn7XOyFohbQ24ZQkjjwzlRLsyORGDvjbkDW5KrCErB6PTVg3QENlVsgfo pRbREkrlGZgG9CLDtrib9whDXDGChnHITiX0ZkNsWaE1vOhb44PzI88pS /aBqTIjOoWENC2sz2UsHbcwjDvV5V+tWtWbmhROE/QrVoGU+hVlYYAljG V81+uWjrveRVYsUJ77Xx4LaNnpDDFpIPyrMQWMc71lBNhRahPDBw02OER A==; X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="378166724" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="378166724" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10549"; a="622786443" X-IronPort-AV: E=Sophos;i="5.96,213,1665471600"; d="scan'208";a="622786443" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2022 10:25:15 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH 3/3] dmaengine: idxd: Do not call DMX TX callbacks during workqueue disable Date: Fri, 2 Dec 2022 10:25:06 -0800 Message-Id: <93b5d144bfc16e0c0f640d5f7cfaeda6bf08753f.1670005163.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751127882543104979?= X-GMAIL-MSGID: =?utf-8?q?1751127882543104979?= On driver unload any pending descriptors are flushed and pending DMA descriptors are explicitly completed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs() -> idxd_dma_complete_txd() With this done during driver unload any remaining descriptor is likely stuck and can be dropped. Even so, the descriptor may still have a callback set that could no longer be accessible. An example of such a problem is when the dmatest fails and the dmatest module is unloaded. The failure of dmatest leaves descriptors with dma_async_tx_descriptor::callback pointing to code that no longer exist. This causes a page fault as below at the time the IDXD driver is unloaded when it attempts to run the callback: BUG: unable to handle page fault for address: ffffffffc0665190 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page Fix this by clearing the callback pointers on the transmit descriptors only when workqueue is disabled. Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu --- History of refactoring made the Fixes: hard to identify by me. drivers/dma/idxd/device.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index b4d7bb923a40..2ac71a34fa34 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1156,6 +1156,7 @@ int idxd_device_load_config(struct idxd_device *idxd) static void idxd_flush_pending_descs(struct idxd_irq_entry *ie) { + struct dma_async_tx_descriptor *tx; struct idxd_desc *desc, *itr; struct llist_node *head; LIST_HEAD(flist); @@ -1175,6 +1176,15 @@ static void idxd_flush_pending_descs(struct idxd_irq_entry *ie) list_for_each_entry_safe(desc, itr, &flist, list) { list_del(&desc->list); ctype = desc->completion->status ? IDXD_COMPLETE_NORMAL : IDXD_COMPLETE_ABORT; + /* + * wq is being disabled. Any remaining descriptors are + * likely to be stuck and can be dropped. callback could + * point to code that is no longer accessible, for example + * if dmatest module has been unloaded. + */ + tx = &desc->txd; + tx->callback = NULL; + tx->callback_result = NULL; idxd_dma_complete_txd(desc, ctype, true); } }