]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 580a41a) | patch
net: atlantic: invert deep par in pm functions, preventing null derefs
authorManuel Ullmann <labre@posteo.de>
Sun, 17 Apr 2022 22:20:01 +0000 (00:20 +0200)
committerDavid S. Miller <davem@davemloft.net>
Mon, 18 Apr 2022 12:34:36 +0000 (13:34 +0100)
commitb75b2b7744d39671489b444888ba005b55404598
tree4bdf86010b934426534020fccf25a647faecfc7atree | snapshot
parent580a41aa24038a83f226c702ebea2ef983eb79a9commit | diff
net: atlantic: invert deep par in pm functions, preventing null derefs

This will reset deeply on freeze and thaw instead of suspend and
resume and prevent null pointer dereferences of the uninitialized ring
0 buffer while thawing.

The impact is an indefinitely hanging kernel. You can't switch
consoles after this and the only possible user interaction is SysRq.

BUG: kernel NULL pointer dereference
RIP: 0010:aq_ring_rx_fill+0xcf/0x210 [atlantic]
aq_vec_init+0x85/0xe0 [atlantic]
aq_nic_init+0xf7/0x1d0 [atlantic]
atl_resume_common+0x4f/0x100 [atlantic]
pci_pm_thaw+0x42/0xa0

resolves in aq_ring.o to

```
0000000000000ae0 <aq_ring_rx_fill>:
{
/* ... */
 baf: 48 8b 43 08           mov    0x8(%rbx),%rax
  buff->flags = 0U; /* buff is NULL */
```

The bug has been present since the introduction of the new pm code in
9230224bc11a ("net: atlantic: refactoring pm logic") and was hidden
until 19167d94541d ("net: atlantic: changes for multi-TC support"),
which refactored the aq_vec_{free,alloc} functions into
aq_vec_{,ring}_{free,alloc}, but is technically not wrong. The
original functions just always reinitialized the buffers on S3/S4. If
the interface is down before freezing, the bug does not occur. It does
not matter, whether the initrd contains and loads the module before
thawing.

So the fix is to invert the boolean parameter deep in all pm function
calls, which was clearly intended to be set like that.

First report was on Github [1], which you have to guess from the
resume logs in the posted dmesg snippet. Recently I posted one on
Bugzilla [2], since I did not have an AQC device so far.

#regzbot introduced: 19167d94541d
#regzbot from: koo5 <kolman.jindrich@gmail.com>
#regzbot monitor: https://github.com/Aquantia/AQtion/issues/32

Fixes: 9230224bc11a ("net: atlantic: refactoring pm logic")
Link: https://github.com/Aquantia/AQtion/issues/32
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215798
Cc: stable@vger.kernel.org
Reported-by: koo5 <kolman.jindrich@gmail.com>
Signed-off-by: Manuel Ullmann <labre@posteo.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c diff | blob | history
Linux Kernel Source Tree.