net: hns3: fix double free bug when setting ringparam
authorHuazhong Tan <tanhuazhong@huawei.com>
Thu, 5 Sep 2019 13:31:37 +0000 (21:31 +0800)
committerDavid S. Miller <davem@davemloft.net>
Fri, 6 Sep 2019 13:20:34 +0000 (15:20 +0200)
commit323a2ac52227c20f3387ea1cd16c04a844cd1ea1
tree2a8c7e9e6a6ab4548a9d6ed2cf46e90967caaa6c
parentd9c0f2756a33833b2653f7a3612814fa5f52a568
net: hns3: fix double free bug when setting ringparam

The system will panic when change the ringparam in HNS3 drivers:

[ 1459.627727] hns3 0000:bd:00.0 eth6: Changing Tx/Rx ring ds from 1024/1024 to 24/24
[ 1459.635766] hns3 0000:bd:00.0 eth6: link down
[ 1459.640788] BUG: Bad page state in process ethtool  pfn:203f75c18
[ 1459.646940] page:ffff7ee4ffd70600 refcount:0 mapcount:0 mapping:ffff993fff40f400 index:0x0 compound_mapcount: 0
[ 1459.656987] flags: 0x9fffe00000010200(slab|head)
[ 1459.661591] raw: 9fffe00000010200 dead000000000100 dead000000000122 ffff993fff40f400
[ 1459.669302] raw: 0000000000000000 0000000080100010 00000000ffffffff 0000000000000000
[ 1459.677016] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 1459.683432] bad because of flags: 0x200(slab)
[ 1459.687775] Modules linked in: ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi hns_roce_hw_v2 crct10dif_ce hns3 ses hclge hnae3 hisi_hpre hisi_zip qm uacce ip_tables x_tables hisi_sas_v3_hw hisi_sas_main libsas scsi_transport_sas
[ 1459.709329] CPU: 14 PID: 17244 Comm: ethtool Tainted: G           O      5.3.0-rc4-00415-gc86f057 #1
[ 1459.718419] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B040.01 07/26/2019
[ 1459.727248] Call trace:
[ 1459.729688]  dump_backtrace+0x0/0x150
[ 1459.733335]  show_stack+0x24/0x30
[ 1459.736639]  dump_stack+0xa0/0xc4
[ 1459.739943]  bad_page+0xf0/0x158
[ 1459.743157]  free_pages_check_bad+0x84/0xa0
[ 1459.747322]  __free_pages_ok+0x348/0x378
[ 1459.751228]  page_frag_free+0x80/0x88
[ 1459.754877]  skb_free_head+0x38/0x48
[ 1459.758436]  skb_release_data+0x134/0x160
[ 1459.762427]  skb_release_all+0x30/0x40
[ 1459.766158]  consume_skb+0x38/0x108
[ 1459.769633]  __dev_kfree_skb_any+0x58/0x68
[ 1459.773718]  hns3_fini_ring+0x48/0x58 [hns3]
[ 1459.777970]  hns3_set_ringparam+0x2a8/0x418 [hns3]
[ 1459.782741]  dev_ethtool+0x5f4/0x2080
[ 1459.786390]  dev_ioctl+0x190/0x3d8
[ 1459.789777]  sock_do_ioctl+0xf8/0x220
[ 1459.793423]  sock_ioctl+0x3bc/0x490
[ 1459.796896]  do_vfs_ioctl+0xc4/0x868
[ 1459.800454]  ksys_ioctl+0x8c/0xa0
[ 1459.803752]  __arm64_sys_ioctl+0x28/0x38
[ 1459.807658]  el0_svc_common.constprop.0+0xe0/0x1e0
[ 1459.812426]  el0_svc_handler+0x34/0x90
[ 1459.816158]  el0_svc+0x10/0x14
[ 1459.819220] Disabling lock debugging due to kernel taint
[ 1459.825182] ------------[ cut here ]------------

Since ndo_stop will reclaim the RX's skb allocated by the driver,
so the backed up ring parameter should not keep this info.

Fixes: a723fb8efe29 ("net: hns3: refine for set ring parameters")
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c