From 3098ac39630c8908fb13cd3137a4629c04df9fe3 Mon Sep 17 00:00:00 2001 From: Simon Horman Date: Thu, 21 May 2015 12:40:14 +0900 Subject: [PATCH] rocker: do not delete fdb entries in rocker_port_fdb_flush() when preparing transactions rocker_port_fdb_flush() is called by rocker_port_stp_update() which in turn may be called with trans == SWITCHDEV_TRANS_PREPARE and then trans == SWITCHDEV_TRANS_COMMIT from switchdev_port_attr_set() via br_set_state(). When rocker_port_fdb_flush() is called with trans == SWITCHDEV_TRANS_PREPARE it calls rocker_port_fdb_learn() for each entry in the FDB table which in turn calls rocker_flow_tbl_bridge() which will allocate memory using rocker_port_kzalloc(). rocker_port_fdb_learn() will then remove the entry from the FDB table. Then when rocker_port_fdb_learn() is called with trans == SWITCHDEV_TRANS_PREPARE no calls are made to rocker_port_fdb_learn() because there are no longer any entries present in the FDB table. Thus the memory previously allocated by rocker_port_fdb_learn() is leaked resulting in the kernel BUG() below. Furthermore, it looks like the driver ends up with an incorrect view of the fdb table as the FDB entries are purged from the driver's table but not the hardware's table. ip link add br0 type bridge ip link set up dev eth0 sleep 1 ip link set dev eth0 master br0 [ 3.704360] ------------[ cut here ]------------ [ 3.704611] kernel BUG at drivers/net/ethernet/rocker/rocker.c:4289! [ 3.704962] invalid opcode: 0000 [#1] SMP [ 3.705537] Modules linked in: [ 3.705919] CPU: 0 PID: 63 Comm: ip Not tainted 4.1.0-rc3-01046-gb9fbe709de4d #1044 [ 3.706191] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.0-0-g4c59f5d-20150219_092859-nilsson.home.kraxel.org 04/01/2014 [ 3.706820] task: ffff880019f70150 ti: ffff88001f92c000 task.ti: ffff88001f92c000 [ 3.707138] RIP: 0010:[] [] rocker_port_attr_set+0xe0/0xf0 [ 3.707990] RSP: 0018:ffff88001f92f808 EFLAGS: 00000212 [ 3.708200] RAX: ffff880019d4fa68 RBX: ffff880019d4f000 RCX: 0000000000000000 [ 3.708471] RDX: 000000000000000c RSI: ffff88001f92f890 RDI: ffff880019d4f680 [ 3.708740] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000004 [ 3.708999] R10: ffff880000034024 R11: 0000000000000000 R12: ffff88001f92f890 [ 3.709276] R13: ffff88001f8f1c00 R14: 000000000000000b R15: 0000000000000000 [ 3.709303] FS: 00007f8ab66bd700(0000) GS:ffff88001b000000(0000) knlGS:0000000000000000 [ 3.709303] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.709303] CR2: 0000000000654988 CR3: 000000001f8f3000 CR4: 00000000000006b0 [ 3.709303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.709303] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 [ 3.709303] Stack: [ 3.709303] ffff88001f8f1c00 000000000000000b ffff88001f92f890 ffff880019d4f000 [ 3.709303] ffff88001f92f890 ffffffff813332f5 ffff88001f92f880 0000000000000000 [ 3.709303] ffff88001f92f890 0000000000000001 ffff880019d4f000 ffffffff81333627 [ 3.709303] Call Trace: [ 3.709303] [] ? __switchdev_port_attr_set+0x25/0x90 [ 3.709303] [] ? switchdev_port_attr_set+0x27/0x120 [ 3.709303] [] ? br_set_state+0x36/0x50 [ 3.709303] [] ? br_add_if+0x37c/0x400 [ 3.709303] [] ? do_setlink+0x7e1/0x800 [ 3.709303] [] ? radix_tree_lookup_slot+0x10/0x30 [ 3.709303] [] ? nla_parse+0xaa/0x110 [ 3.709303] [] ? rtnl_newlink+0x548/0x870 [ 3.709303] [] ? __radix_tree_lookup+0x40/0xb0 [ 3.709303] [] ? nla_parse+0x2e/0x110 [ 3.709303] [] ? rtnetlink_rcv_msg+0x7e/0x250 [ 3.709303] [] ? __skb_recv_datagram+0xfe/0x4b0 [ 3.709303] [] ? rtnetlink_rcv+0x30/0x30 [ 3.709303] [] ? netlink_rcv_skb+0xa8/0xd0 [ 3.709303] [] ? rtnetlink_rcv+0x1f/0x30 [ 3.709303] [] ? netlink_unicast+0x150/0x200 [ 3.709303] [] ? netlink_sendmsg+0x374/0x3e0 [ 3.709303] [] ? sock_sendmsg+0xf/0x30 [ 3.709303] [] ? ___sys_sendmsg+0x1f3/0x200 [ 3.709303] [] ? ___sys_recvmsg+0x105/0x140 [ 3.709303] [] ? dev_get_by_name_rcu+0x69/0x90 [ 3.709303] [] ? dev_get_by_name_rcu+0x69/0x90 [ 3.709303] [] ? skb_dequeue+0x4d/0x60 [ 3.709303] [] ? skb_queue_purge+0x20/0x30 [ 3.709303] [] ? __inode_wait_for_writeback+0x5f/0xb0 [ 3.709303] [] ? autoremove_wake_function+0x30/0x30 [ 3.709303] [] ? __sys_sendmsg+0x39/0x70 [ 3.709303] [] ? system_call_fastpath+0x12/0x6a [ 3.709303] Code: bb 90 06 00 00 48 c7 04 24 00 00 00 00 45 31 c9 45 31 c0 48 c7 c1 c0 b7 1e 81 89 ea e8 da da ff ff eb 95 0f 1f 84 00 00 00 00 00 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 fe 15 75 [ 3.709303] RIP [] rocker_port_attr_set+0xe0/0xf0 [ 3.709303] RSP [ 3.721409] ---[ end trace b7481fcb7cb032aa ]--- Segmentation fault Fixes: c4f20321d968 ("rocker: support prepare-commit transaction model") Acked-by: Scott Feldman Acked-by: Jiri Pirko Signed-off-by: Simon Horman Signed-off-by: David S. Miller --- drivers/net/ethernet/rocker/rocker.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/rocker/rocker.c b/drivers/net/ethernet/rocker/rocker.c index 0f5e962d691c..ce1bfab077a7 100644 --- a/drivers/net/ethernet/rocker/rocker.c +++ b/drivers/net/ethernet/rocker/rocker.c @@ -3658,7 +3658,8 @@ static int rocker_port_fdb_flush(struct rocker_port *rocker_port, found->key.vlan_id); if (err) goto err_out; - hash_del(&found->entry); + if (trans != SWITCHDEV_TRANS_PREPARE) + hash_del(&found->entry); } err_out: -- 2.39.5