linux/drivers
Daniel Borkmann b5b2ffc057 ixgbe: fix use after free adapter->state test in ixgbe_remove/ixgbe_probe
While working on a different issue, I noticed an annoying use
after free bug on my machine when unloading the ixgbe driver:

[ 8642.318797] ixgbe 0000:02:00.1: removed PHC on p2p2
[ 8642.742716] ixgbe 0000:02:00.1: complete
[ 8642.743784] BUG: unable to handle kernel paging request at ffff8807d3740a90
[ 8642.744828] IP: [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe]
[ 8642.745886] PGD 20c6067 PUD 81c1f6067 PMD 81c15a067 PTE 80000007d3740060
[ 8642.746956] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[ 8642.748039] Modules linked in: [...]
[ 8642.752929] CPU: 1 PID: 1225 Comm: rmmod Not tainted 3.18.0-rc2+ #49
[ 8642.754203] Hardware name: Supermicro X10SLM-F/X10SLM-F, BIOS 1.1b 11/01/2013
[ 8642.755505] task: ffff8807e34d3fe0 ti: ffff8807b7204000 task.ti: ffff8807b7204000
[ 8642.756831] RIP: 0010:[<ffffffffa01c77dc>]  [<ffffffffa01c77dc>] ixgbe_remove+0xfc/0x1b0 [ixgbe]
[...]
[ 8642.774335] Stack:
[ 8642.775805]  ffff8807ee824098 ffff8807ee824098 ffffffffa01f3000 ffff8807ee824000
[ 8642.777326]  ffff8807b7207e18 ffffffff8137720f ffff8807ee824098 ffff8807ee824098
[ 8642.778848]  ffffffffa01f3068 ffff8807ee8240f8 ffff8807b7207e38 ffffffff8144180f
[ 8642.780365] Call Trace:
[ 8642.781869]  [<ffffffff8137720f>] pci_device_remove+0x3f/0xc0
[ 8642.783395]  [<ffffffff8144180f>] __device_release_driver+0x7f/0xf0
[ 8642.784876]  [<ffffffff814421f8>] driver_detach+0xb8/0xc0
[ 8642.786352]  [<ffffffff814414a9>] bus_remove_driver+0x59/0xe0
[ 8642.787783]  [<ffffffff814429d0>] driver_unregister+0x30/0x70
[ 8642.789202]  [<ffffffff81375c65>] pci_unregister_driver+0x25/0xa0
[ 8642.790657]  [<ffffffffa01eb38e>] ixgbe_exit_module+0x1c/0xc8e [ixgbe]
[ 8642.792064]  [<ffffffff810f93a2>] SyS_delete_module+0x132/0x1c0
[ 8642.793450]  [<ffffffff81012c61>] ? do_notify_resume+0x61/0xa0
[ 8642.794837]  [<ffffffff816d2029>] system_call_fastpath+0x12/0x17

The issue is that test_and_set_bit() done on adapter->state is being
performed *after* the netdevice has been freed via free_netdev().

When netdev is being allocated on initialization time, it allocates
a private area, here struct ixgbe_adapter, that resides after the
net_device structure. In ixgbe_probe(), the device init routine,
we set up the adapter after alloc_etherdev_mq() on the private area
and add a reference for the pci_dev as well via pci_set_drvdata().

Both in the error path of ixgbe_probe(), but also on module unload
when ixgbe_remove() is being called, commit 41c62843eb ("ixgbe:
Fix rcu warnings induced by LER") accesses adapter after free_netdev().
The patch stores the result in a bool and thus fixes above oops on my
side.

Fixes: 41c62843eb ("ixgbe: Fix rcu warnings induced by LER")
Cc: stable <stable@vger.kernel.org>
Cc: Mark Rustad <mark.d.rustad@intel.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-11-23 14:26:12 -05:00
..
accessibility
acpi ACPI / PM: Ignore wakeup setting if the ACPI companion can't wake up 2014-11-20 01:24:16 +01:00
amba PM / Domains: Move dev_pm_domain_attach|detach() to pm_domain.h 2014-09-30 01:16:44 +02:00
ata ahci: fix AHCI parameters not taken into account 2014-11-04 12:56:25 -05:00
atm atm: simplify lanai.c by using module_pci_driver 2014-10-17 11:55:32 -04:00
auxdisplay
base Merge branches 'pm-domains', 'pm-sleep' and 'pm-cpufreq' 2014-11-14 15:17:32 +01:00
bcma bcma: add another PCI ID of device with BCM43228 2014-10-23 14:02:06 -04:00
block zram: avoid kunmap_atomic() of a NULL pointer 2014-11-13 16:17:05 -08:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-10-13 11:28:42 +02:00
bus ARM: SoC driver updates for 3.18 2014-10-08 17:37:16 -04:00
cdrom
char virtio: bugfix for 3.18 2014-11-13 18:07:52 -08:00
clk The clk tree changes for 3.18 are dominated by clock drivers. Mostly 2014-10-15 07:05:03 +02:00
clocksource ARM/ARM64: arch-timer: fix arch_timer_probed logic 2014-10-26 20:50:00 +01:00
connector
cpufreq cpufreq: Avoid crash in resume on SMP without OPP 2014-11-08 02:10:04 +01:00
cpuidle Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-10-24 12:48:47 -07:00
crypto crypto: caam - fix missing dma unmap on error path 2014-11-06 23:10:20 +08:00
dca
devfreq PM / devfreq: exynos: Enable building exynos PPMU as module 2014-09-29 20:22:36 +09:00
dio
dma Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma 2014-11-21 16:24:27 -08:00
dma-buf dma-buf: don't open-code atomic_long_read() 2014-10-09 02:39:07 -04:00
edac e7xxx_edac: Report CE events properly 2014-10-22 22:59:00 +02:00
eisa
extcon
firewire firewire: cdev: prevent kernel stack leaking into ioctl arguments 2014-11-14 12:10:13 +01:00
firmware Merge branch 'x86-efi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-10-23 14:45:09 -07:00
fmc
gpio This is the bulk of GPIO changes for the v3.18 development 2014-10-09 14:58:15 -04:00
gpu Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2014-11-21 12:19:19 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-11-13 16:19:14 -08:00
hsi
hv
hwmon hwmon: (fam15h_power) Fix NB device ID for F16h M30h 2014-11-11 10:39:45 -08:00
hwspinlock
i2c i2c: core: Dispose OF IRQ mapping at client removal time 2014-11-07 19:03:18 +01:00
ide Merge branch 'for-3.18/drivers' of git://git.kernel.dk/linux-block 2014-10-18 12:12:45 -07:00
idle
iio iio: as3935: allocate correct iio_device size 2014-11-05 18:33:46 +00:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-11-21 16:28:45 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2014-11-14 14:31:54 -08:00
iommu IOMMU Updates for Linux v3.18 2014-10-15 07:23:49 +02:00
ipack
irqchip irqchip: armada-370-xp: Fix MPIC interrupt handling 2014-11-02 01:31:10 +00:00
isdn isdn/gigaset: fix usb_gigaset write_cmd result race 2014-10-14 15:05:35 -04:00
leds Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds 2014-10-21 08:18:38 -07:00
lguest
macintosh powerpc: Move via-cuda symbol exports next to function definitions 2014-09-25 23:14:37 +10:00
mailbox Merge branch 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2014-10-21 11:21:19 -07:00
mcb
md One fix for md for 3.18. 2014-11-16 15:34:31 -08:00
media [media] sp2: sp2_init() can be static 2014-11-03 19:08:06 -02:00
memory
memstick memstick: r592: fix build warnings for !PM_SLEEP 2014-10-14 02:18:22 +02:00
message SCSI for-linus on 20141007 2014-10-07 21:29:18 -04:00
mfd mfd: twl4030-power: Fix poweroff with PM configuration enabled 2014-11-10 15:22:04 +00:00
misc cxl: Fix PSL error due to duplicate segment table entries 2014-10-28 19:52:52 +11:00
mmc mmc: core: fix card detection regression 2014-11-05 09:28:48 +01:00
mtd Three main MTD fixes for 3.18: 2014-11-02 14:45:52 -08:00
net ixgbe: fix use after free adapter->state test in ixgbe_remove/ixgbe_probe 2014-11-23 14:26:12 -05:00
nfc Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-10-07 14:48:29 -04:00
ntb ntb: Adding split BAR support for Haswell platforms 2014-10-17 07:08:51 -04:00
nubus
of of/selftest: Fix testing when /aliases is missing 2014-11-20 15:32:49 +00:00
oprofile
parisc Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-10-13 16:23:15 +02:00
parport
pci PCI updates for v3.18: 2014-11-21 16:36:42 -08:00
pcmcia
phy phy: omap-usb2: Enable runtime PM of omap-usb2 phy properly 2014-11-05 14:34:06 -08:00
pinctrl pinctrl: baytrail: show output gpio state correctly on Intel Baytrail 2014-10-28 11:16:26 +01:00
platform platform: hp_accel: Add SERIO_I8042 as a dependency since it now includes i8042.h/serio.h 2014-11-10 21:16:15 -08:00
pnp PNP: replace strnicmp with strncasecmp 2014-10-14 02:18:25 +02:00
power power supply and reset changes for the v3.18-rc 2014-11-15 15:22:51 -08:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v3.18-rc1 2014-10-21 08:17:43 -07:00
rapidio
ras
regulator Merge remote-tracking branches 'regulator/fix/max1586', 'regulator/fix/max77686', 'regulator/fix/max77693', 'regulator/fix/max77802', 'regulator/fix/max8860' and 'regulator/fix/s2mpa01' into regulator-linus 2014-11-05 14:59:25 +00:00
remoteproc
reset
rpmsg
rtc drivers/rtc/rtc-bq32k.c: fix register value 2014-10-29 16:33:14 -07:00
s390 KVM: s390: virtio_ccw: remove unused variable 2014-11-03 10:43:00 +01:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-11-21 17:20:36 -08:00
sfi
sh
sn
soc soc: versatile: Add terminating entry for realview_soc_of_match 2014-10-28 22:05:07 +01:00
spi Merge remote-tracking branches 'spi/fix/fsl-dspi' and 'spi/fix/pxa2xx' into spi-linus 2014-11-06 12:58:46 +00:00
spmi
ssb This is the bulk of GPIO changes for the v3.18 development 2014-10-09 14:58:15 -04:00
staging Second round of IIO fixes for the 3.18 cycle. 2014-11-05 11:30:45 -08:00
target target: return CONFLICT only when SA key unmatched 2014-11-02 22:04:57 -08:00
tc
thermal imx: thermal: imx_get_temp might be called before sensor clock is prepared 2014-11-09 15:42:53 -04:00
thunderbolt
tty tty: Fix pty master poll() after slave closes v2 2014-11-06 12:23:36 -08:00
uio uio: Export definition of struct uio_device 2014-10-02 21:35:54 -07:00
usb USB: cdc-acm: add quirk for control-line state requests 2014-11-06 12:25:40 -08:00
uwb
vfio IOMMU Updates for Linux v3.18 2014-10-15 07:23:49 +02:00
vhost vhost-scsi: Take configfs group dependency during VHOST_SCSI_SET_ENDPOINT 2014-10-28 13:54:16 -07:00
video Merge branch '3.18/omapdss-fixes' into 3.18/fbdev-fixes 2014-10-30 14:53:49 +02:00
virt
virtio One cc: stable commit, the rest are a series of minor cleanups which have 2014-10-18 10:25:09 -07:00
vlynq
vme
w1
watchdog watchdog: meson: remove magic value for reboot 2014-10-20 21:09:17 +02:00
xen xen/pci: Allocate memory for physdev_pci_device_add's optarr 2014-10-23 16:24:02 +01:00
zorro
Kconfig soc: ti: add Keystone Navigator QMSS driver 2014-09-24 09:49:14 -04:00
Makefile