From: <same...@amazon.com> Date: Sun, 15 Sep 2019 17:29:44 +0300 > From: Sameeh Jubran <same...@amazon.com> > > There is a race condition that can occur when calling ena_down(). > The ena_clean_tx_irq() - which is a part of the napi handler - > function might wake up the tx queue when the queue is supposed > to be down (during recovery or changing the size of the queues > for example) This causes the ena_start_xmit() function to trigger > and possibly try to access the destroyed queues. > > The race is illustrated below: > > Flow A: Flow B(napi handler) > ena_down() > netif_carrier_off() > netif_tx_disable() > ena_clean_tx_irq() > netif_tx_wake_queue() > ena_napi_disable_all() > ena_destroy_all_io_queues() > > After these flows the tx queue is active and ena_start_xmit() accesses > the destroyed queue which leads to a kernel panic. > > fixes: 1738cd3ed342 (net: ena: Add a driver for Amazon Elastic Network > Adapters (ENA)) > > Signed-off-by: Sameeh Jubran <same...@amazon.com>
Applied.
