• Michael Chan's avatar
    bnxt_en: Fix possible crash after creating sw mqprio TCs · 467739ba
    Michael Chan authored
    The driver relies on netdev_get_num_tc() to get the number of HW
    offloaded mqprio TCs to allocate and free TX rings.  This won't
    work and can potentially crash the system if software mqprio or
    taprio TCs have been setup.  netdev_get_num_tc() will return the
    number of software TCs and it may cause the driver to allocate or
    free more TX rings that it should.  Fix it by adding a bp->num_tc
    field to store the number of HW offload mqprio TCs for the device.
    Use bp->num_tc instead of netdev_get_num_tc().
    
    This fixes a crash like this:
    
    BUG: kernel NULL pointer dereference, address: 0000000000000000
    PGD 42b8404067 P4D 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 120 PID: 8661 Comm: ifconfig Kdump: loaded Tainted: G           OE     5.18.16 #1
    Hardware name: Lenovo ThinkSystem SR650 V3/SB27A92818, BIOS ESE114N-2.12 04/25/2023
    RIP: 0010:bnxt_hwrm_cp_ring_alloc_p5+0x10/0x90 [bnxt_en]
    Code: 41 5c 41 5d 41 5e c3 cc cc cc cc 41 8b 44 24 08 66 89 03 eb c6 e8 b0 f1 7d db 0f 1f 44 00 00 41 56 41 55 41 54 55 48 89 fd 53 <48> 8b 06 48 89 f3 48 81 c6 28 01 00 00 0f b6 96 13 ff ff ff 44 8b
    RSP: 0018:ff65907660d1fa88 EFLAGS: 00010202
    RAX: 0000000000000010 RBX: ff4dde1d907e4980 RCX: f400000000000000
    RDX: 0000000000000010 RSI: 0000000000000000 RDI: ff4dde1d907e4980
    RBP: ff4dde1d907e4980 R08: 000000000000000f R09: 0000000000000000
    R10: ff4dde5f02671800 R11: 0000000000000008 R12: 0000000088888889
    R13: 0500000000000000 R14: 00f0000000000000 R15: ff4dde5f02671800
    FS:  00007f4b126b5740(0000) GS:ff4dde9bff600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000416f9c6002 CR4: 0000000000771ee0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     bnxt_hwrm_ring_alloc+0x204/0x770 [bnxt_en]
     bnxt_init_chip+0x4d/0x680 [bnxt_en]
     ? bnxt_poll+0x1a0/0x1a0 [bnxt_en]
     __bnxt_open_nic+0xd2/0x740 [bnxt_en]
     bnxt_open+0x10b/0x220 [bnxt_en]
     ? raw_notifier_call_chain+0x41/0x60
     __dev_open+0xf3/0x1b0
     __dev_change_flags+0x1db/0x250
     dev_change_flags+0x21/0x60
     devinet_ioctl+0x590/0x720
     ? avc_has_extended_perms+0x1b7/0x420
     ? _copy_from_user+0x3a/0x60
     inet_ioctl+0x189/0x1c0
     ? wp_page_copy+0x45a/0x6e0
     sock_do_ioctl+0x42/0xf0
     ? ioctl_has_perm.constprop.0.isra.0+0xbd/0x120
     sock_ioctl+0x1ce/0x2e0
     __x64_sys_ioctl+0x87/0xc0
     do_syscall_64+0x59/0x90
     ? syscall_exit_work+0x103/0x130
     ? syscall_exit_to_user_mode+0x12/0x30
     ? do_syscall_64+0x69/0x90
     ? exc_page_fault+0x62/0x150
    
    Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
    Reviewed-by: default avatarDamodharam Ammepalli <damodharam.ammepalli@broadcom.com>
    Reviewed-by: default avatarAndy Gospodarek <andrew.gospodarek@broadcom.com>
    Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
    Link: https://lore.kernel.org/r/20240117234515.226944-6-michael.chan@broadcom.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    467739ba
bnxt.c 397 KB