From patchwork Wed Dec 7 22:52:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 31080 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp444127wrr; Wed, 7 Dec 2022 14:55:14 -0800 (PST) X-Google-Smtp-Source: AA0mqf7H24xccQ7UKrTbzpmTFcBX1NKAXRGJ5lWypOmNVgE5nots3XUcFMT6g4U8ZE/uTqrl0uf8 X-Received: by 2002:a17:906:bcc1:b0:73d:715c:5730 with SMTP id lw1-20020a170906bcc100b0073d715c5730mr77070246ejb.293.1670453713817; Wed, 07 Dec 2022 14:55:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670453713; cv=none; d=google.com; s=arc-20160816; b=InwJyxdxlHl9vHvGpRxnCHqunV+Cw4XXTH1pdwb82BiX2JlTN5+ar+nke/7b0VcYvV aY6Vsc5b198ddzglaT2EQVLQ/it2W1UETwc96Kj4saGyrX8xB83Mjz15I+2WQfwub+EW 1Ghjvl7DfMUlKfUIFp+JxFRUIOgNid8LnOr1uMvI3G72U2TLizmUc5fdsxLjteZE+cuK JRPqp+/z2TY1xUU6y8Oju1jN+KBnXJH+/4b/+2DYwEMyFrJbPSjM2+MV5hEuaD8ul+VY w9KhLu7e/Jmp84rqHqDP2uk3h245FZUbw4hKTIm6ZlcuyEbtj8tMCK0g8bkQVkR+0Ww7 bHwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Fz0CQhHpua/qNFr0G5P4bPTNU3JQCjFVJ5tor5YMeYk=; b=ZdU7cZzw1ezMVKP6fgrAIGrBzb6ymAeXsIZLVTsPBb3mmMIKGWHZM+JZUZlRAd/9DM r3X2zIgNMmXAUqWnizfuNLL41Ht3fS9cayPuK/Z+vQGXMi/a9zlmiPl4Zg36QllUzsTA uCAnIoYRJQeU591uJLz95SUkqgUxKdQiSc55rbwXWh7Zg9qzE7of2/fgkbg7msJQrGEV NEDbAwYj1v9v/qJe8ndrVWWMNy3yfa/RerVH2uN9bU28ooSFYTx1L02PRWXHR66QIqgY ca78AUwOCZmc6p1Q4w+wXX7zI5EsEXn4CE8vWrxCMh0cnVoJY+UREyQSBaRLlO/LHKH1 ebVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=d348RYJo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qk43-20020a1709077fab00b007c1100d2875si4450665ejc.750.2022.12.07.14.54.50; Wed, 07 Dec 2022 14:55:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=d348RYJo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229838AbiLGWwa (ORCPT + 99 others); Wed, 7 Dec 2022 17:52:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229437AbiLGWw2 (ORCPT ); Wed, 7 Dec 2022 17:52:28 -0500 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF8745C76C; Wed, 7 Dec 2022 14:52:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670453548; x=1701989548; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XBZP11mNcHV2eBtHsZ9qvq9/eQYOQwTjDlrcdxglGFU=; b=d348RYJoGHoCttwwdMlqBuYzB8jeY3INmnhFyH43GOvdDQxJaKm7iSgp t99o0YWMrTBxFkYb84kAM7NV4H6UK3KfZw52zGK4bKh6tdteLL5iWJjLL RfuI8iLj3bJbQOm78wLEU4niKoPRhUMYqNiArEX4IzDTf2ReOe/1iMk0R vi9kRyo9SVOdg0R2kqjnmy2VfqzB1GlDN9v6nMcwqTQywzKpJMEopQUFs vk7FqV6jrIGRjeHR3UPYnBjElbwDETj0M70p9v3QIm44+eUSnZRMXtbhe aepUsmOFHyCMp6xuALLmtDO52/hkuGfuO5HXUZ27yJIjILDOkMVJKHHg2 g==; X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="300439513" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="300439513" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="646781156" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="646781156" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH V2 1/3] dmaengine: idxd: Let probe fail when workqueue cannot be enabled Date: Wed, 7 Dec 2022 14:52:20 -0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751597673182273930?= X-GMAIL-MSGID: =?utf-8?q?1751597673182273930?= The workqueue is enabled when the appropriate driver is loaded and disabled when the driver is removed. When the driver is removed it assumes that the workqueue was enabled successfully and proceeds to free allocations made during workqueue enabling. Failure during workqueue enabling does not prevent the driver from being loaded. This is because the error path within drv_enable_wq() returns success unless a second failure is encountered during the error path. By returning success it is possible to load the driver even if the workqueue cannot be enabled and allocations that do not exist are attempted to be freed during driver remove. Some examples of problematic flows: (a) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_unmap_portal() is called on error exit path, but drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The driver is thus loaded successfully. idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal() Above flow on driver unload triggers the WARN in devm_iounmap() because the device resource has already been removed during error path of drv_enable_wq(). (b) idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq(): In above flow, if idxd_wq_request_irq() fails then idxd_wq_init_percpu_ref() is never called to initialize the percpu counter, yet the driver loads successfully because drv_enable_wq() returns 0. idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill(): Above flow on driver unload triggers a BUG when attempting to drop the initial ref of the uninitialized percpu ref: BUG: kernel NULL pointer dereference, address: 0000000000000010 Fix the drv_enable_wq() error path by returning the original error that indicates failure of workqueue enabling. This ensures that the probe fails when an error is encountered and the driver remove paths are only attempted when the workqueue was enabled successfully. Fixes: 1f2bb40337f0 ("dmaengine: idxd: move wq_enable() to device.c") Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu Cc: stable@vger.kernel.org --- Changes since V1: - Add Dave and Fenghua's Reviewed-by tags. - Cc to stable team (Fenghua). drivers/dma/idxd/device.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index 6f44fa8f78a5..fcd03d29a941 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1391,8 +1391,7 @@ int drv_enable_wq(struct idxd_wq *wq) err_irq: idxd_wq_unmap_portal(wq); err_map_portal: - rc = idxd_wq_disable(wq, false); - if (rc < 0) + if (idxd_wq_disable(wq, false)) dev_dbg(dev, "wq %s disable failed\n", dev_name(wq_confdev(wq))); err: return rc; From patchwork Wed Dec 7 22:52:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 31083 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp444382wrr; Wed, 7 Dec 2022 14:56:02 -0800 (PST) X-Google-Smtp-Source: AA0mqf7BITYhOJaJQgc0Lnvw5wp8hrfxQYA5jXtCNfCZOeajwCtVAIK0ji6rjUrV7bzm2zH2tezi X-Received: by 2002:a17:906:404:b0:781:f54c:1947 with SMTP id d4-20020a170906040400b00781f54c1947mr66783976eja.69.1670453762705; Wed, 07 Dec 2022 14:56:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670453762; cv=none; d=google.com; s=arc-20160816; b=jh1fDEykEL7Kb+KlWnLIq2uljxLYw1/5cAgav0gTGLQqffuOd/twtyGq+nNSjbnoD5 RzOeidnopVtEJLvYyp6kmEjzb1iPo+wK0/HnJvV/o8gMjKo2QgEHYp/d582oGDypPdGI WSh6w116lNXYk1If3mNxKjXpISzmU23MOvr9TF4VYyrbgc5mvNzooxYX9pxhQU4qdW6/ 2VLKZhMp5/e5wqjxt0iei48wqOSt3ZvOm9uRuqvjDcWHRlkkOYDdnyiHJR43hLcE9jup ExQ1HIl1IyTo0+glxS4y+MjPjCQkKFZF8qbSdoDHLPpDYcMXM945NtBE8bHQTgwTak03 9cww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Sya1E12Bna9w/J6txGwm2i2u5Dts3HwmOBmrRwfDwLo=; b=DNcRWxc4JBRPrE4sLGd0SN689XhqDqAXruBLeQtfOt8r9LkzkCVEPtclqZx81vDMTl MFFvMpu++kenSiKCURguSTBUQ9A3QGTawVB4ql4xT4pTpsSPjMAbyxGETddw6Eu6mmdl nBt6N/isk8eYXvtC4KD3AGOCi1VIX0tzFsHGXVXFqHLCWwEcQB0MOVywEbjENCNXIPR+ C2Evg+JmKHpSTP+HYU+pqkkpeznCVgpE2gUZCye5husZ6eQADTLvowTpXdiMnbt68n8z wHylbwO5cHXjvTYsECZaDsM7X5IDIWzLPyf6Jf6bcxxBQCwm5IknAMXg+5Vqgv0iEAwb Rlew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=DClaJA0v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z8-20020a056402274800b00469f6d1a3c1si6111410edd.130.2022.12.07.14.55.22; Wed, 07 Dec 2022 14:56:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=DClaJA0v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229868AbiLGWwf (ORCPT + 99 others); Wed, 7 Dec 2022 17:52:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiLGWw3 (ORCPT ); Wed, 7 Dec 2022 17:52:29 -0500 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F012685662; Wed, 7 Dec 2022 14:52:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670453549; x=1701989549; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=EHXrUzFqhtjrtp+2R9Fafu9ntu7u1UaPLUSfczdzlWE=; b=DClaJA0v7HFjSN6HKpvW/VK4O6LjOB9I+4aLVx/TRXAiBPaoANbEFI0C VCbQ2DhNeEMXvSfpsAZgk9DhN+qXRKsD8O+h5mihcjgQfBullDQkNr1II qQuy0+WSu5ulYiqTzaFxYG3a1jX8amIcOnLyIM1mRZs1MjiSpQ/xE3HdA 3UMcksGv5ECPBJsMpXi0OHjNvQmdQE1Stssgg4n7YNL62UXE1C5x/2cdb FqoiS7/36yPQzwKkt/7M1EGd7ReDXZyQbHrRktmgikYmTuWUWJhJOvWdB 7MTTndxNIB7Trt8I72fCoOiGLiC2NF0MXpNJ+hihzRTanQHbiJxTig7df Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="300439516" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="300439516" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="646781161" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="646781161" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH V2 2/3] dmaengine: idxd: Prevent use after free on completion memory Date: Wed, 7 Dec 2022 14:52:21 -0800 Message-Id: <6c4657d9cff0a0a00501a7b928297ac966e9ec9d.1670452419.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751597724833131839?= X-GMAIL-MSGID: =?utf-8?q?1751597724833131839?= On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device. Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations") Suggested-by: Dave Jiang Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu Cc: stable@vger.kernel.org --- Changes since V1: - Add Dave and Fenghua's Reviewed-by tags. - cc stable team (Fenghua). drivers/dma/idxd/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index fcd03d29a941..b4d7bb923a40 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq) dev_warn(dev, "Clients has claim on wq %d: %d\n", wq->id, idxd_wq_refcount(wq)); - idxd_wq_free_resources(wq); idxd_wq_unmap_portal(wq); idxd_wq_drain(wq); idxd_wq_free_irq(wq); idxd_wq_reset(wq); + idxd_wq_free_resources(wq); percpu_ref_exit(&wq->wq_active); wq->type = IDXD_WQT_NONE; wq->client_count = 0; From patchwork Wed Dec 7 22:52:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinette Chatre X-Patchwork-Id: 31082 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp444326wrr; Wed, 7 Dec 2022 14:55:51 -0800 (PST) X-Google-Smtp-Source: AA0mqf5ERXI/k+OKH6J6P3toekaPCQmd2iaD5ml0LaiKE/GxlxOOvaANQQ+Eamn2EFqSv13AeAjp X-Received: by 2002:aa7:c7d5:0:b0:44e:bee5:4242 with SMTP id o21-20020aa7c7d5000000b0044ebee54242mr69237527eds.128.1670453751163; Wed, 07 Dec 2022 14:55:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670453751; cv=none; d=google.com; s=arc-20160816; b=UJD2XSh2fQQOQeFmtRB7PN9iLyp4RCO1Fxaqe9U2GNUCXuYwIyz5TRHfNSEB5D/dZF vPcpR4wbrYZofeJKRdxYJreguWaHelhEYr6qb1COWTeNl5XkHarrzMqqgbL3p9rJq17s D9B25rsEEBK4+4R7jjbvPHqyfadzggv2HrmN+9B+qgd0u0bBh78yBBRrafMLJFWNO/XR R+3J38FC90FYnWjCb73F32AsW0NRmDhnQHoiuNOnphACkQcmEcaVRXYdGee8UuFSvNbu GoX0o32Qqn4wKUM2ENcoiKQ8QPyftd1pGSWLS/9dRjzDu/DC2Cqecn2UqMbeSq7TQ126 94aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=47TLykqIITSdGYtTHlB+YFOrKRysxK15SkR7QvhFnkU=; b=ZyutHymhTkbyUenfWTtivbiWUnbGnkjREua1p5zihrNgFWeAg+zncGVCVus9PrppTo tmjpChpY4kdj49Rw2UZFQyajPyCN4gu5R6KXRBvKn/RFLA6XtNMkrOXknyqTbXAIzhWa o25WFIJtgTrUhjodnBP/TATM/o6m0If4mgdlaY6iiOsKWS2cbsyDBb7SjGnh+/CKFzIf USYmFfXIXPp8azc/ZWXjysLDw+ZW8FPkaq3uh7Dk282/PldOgweS1yVTPV0QhyrDrmrb cAzbkAeYBUsIMak50XncRtLj+EZj6vFsSAcTB08eS9YhjWUt4MSU61f7PxD/0UVPnvtB l7YA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="R4bj3/ty"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b14-20020aa7df8e000000b0046c11dd72b3si4728784edy.347.2022.12.07.14.55.24; Wed, 07 Dec 2022 14:55:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="R4bj3/ty"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229898AbiLGWwj (ORCPT + 99 others); Wed, 7 Dec 2022 17:52:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229847AbiLGWwa (ORCPT ); Wed, 7 Dec 2022 17:52:30 -0500 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78C7B5C76C; Wed, 7 Dec 2022 14:52:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1670453549; x=1701989549; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=t2DafPPSBT9Ml5FRPIZEHIKvXe0wTNw4tCplQE2Vzac=; b=R4bj3/ty52OZ0gSGzG2PUAksCVSmcDe1ZLUUjxnSh63s2V3GTONwb8ZA gZEC7ZO7wYcMrvLGpjg1Sras81vy6WqryUFcZPPtfNBTU/grFTkdm2459 HE6Xe1MNTHwPb88ppJ7V2hoSm2dYID0DSTaxPENIJlCuJhAZGdGymjo5d Rpa+eDYJpj4EEeaMqV7lfj6m9SDItyl8IavnmhQG0JmGIEyjZzo2ae3jC pevg2vv0PWgbcTUQDHkdAX15Q8aIyNHBaxMb2iM/AGMYS5+rC4PBkj00q Ul4sD8fBP/5HY6klauiHwAqJKMobO5KDpfqyvrIPpu6pDzwq0ADn15PDJ g==; X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="300439518" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="300439518" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10554"; a="646781163" X-IronPort-AV: E=Sophos;i="5.96,225,1665471600"; d="scan'208";a="646781163" Received: from rchatre-ws.ostc.intel.com ([10.54.69.144]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Dec 2022 14:52:27 -0800 From: Reinette Chatre To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH V2 3/3] dmaengine: idxd: Do not call DMX TX callbacks during workqueue disable Date: Wed, 7 Dec 2022 14:52:22 -0800 Message-Id: <37d06b772aa7f8863ca50f90930ea2fd80b38fc3.1670452419.git.reinette.chatre@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751597712531196573?= X-GMAIL-MSGID: =?utf-8?q?1751597712531196573?= On driver unload any pending descriptors are flushed and pending DMA descriptors are explicitly completed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs() -> idxd_dma_complete_txd() With this done during driver unload any remaining descriptor is likely stuck and can be dropped. Even so, the descriptor may still have a callback set that could no longer be accessible. An example of such a problem is when the dmatest fails and the dmatest module is unloaded. The failure of dmatest leaves descriptors with dma_async_tx_descriptor::callback pointing to code that no longer exist. This causes a page fault as below at the time the IDXD driver is unloaded when it attempts to run the callback: BUG: unable to handle page fault for address: ffffffffc0665190 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page Fix this by clearing the callback pointers on the transmit descriptors only when workqueue is disabled. Fixes: 403a2e236538 ("dmaengine: idxd: change MSIX allocation based on per wq activation") Signed-off-by: Reinette Chatre Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu Cc: stable@vger.kernel.org --- Changes since V1: - Add Dave and Fenghua's Reviewed-by tags. - Cc stable team (Fenghua). - Move declaration local to block needing it (Fenghua). - Add appropriate Fixes tag (Fenghua). drivers/dma/idxd/device.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index b4d7bb923a40..6d8ff664fdfb 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1173,8 +1173,19 @@ static void idxd_flush_pending_descs(struct idxd_irq_entry *ie) spin_unlock(&ie->list_lock); list_for_each_entry_safe(desc, itr, &flist, list) { + struct dma_async_tx_descriptor *tx; + list_del(&desc->list); ctype = desc->completion->status ? IDXD_COMPLETE_NORMAL : IDXD_COMPLETE_ABORT; + /* + * wq is being disabled. Any remaining descriptors are + * likely to be stuck and can be dropped. callback could + * point to code that is no longer accessible, for example + * if dmatest module has been unloaded. + */ + tx = &desc->txd; + tx->callback = NULL; + tx->callback_result = NULL; idxd_dma_complete_txd(desc, ctype, true); } }