net: hns3: fix race condition in debugfs

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4LD5U
CVE: NA

----------------------------

When multiple users access debugfs at the same time, the process
of alloc and release memory becomes disordered, causing the
kernel crash like this:

[763845.759089] PC is at kfree+0x19c/0x1a0
[763845.759100] LR is at kvfree+0x3c/0x58
[763845.759103] pc : [<ffff00000828878c>] lr : [<ffff00000823432c>] pstate: 60400009
[763845.759105] sp : ffff00003744fc90
[763845.759108] x29: ffff00003744fc90 x28: ffff8027dc87b800
[763845.759115] x27: ffff0000088a1000 x26: ffff000002970f48
[763845.759121] x25: ffff802502600000 x24: 00000000000000af
[763845.759127] x23: 0000000000010000 x22: 0000000013dc0000
[763845.759133] x21: ffff00000823432c x20: ffff802502600000
[763845.759139] x19: ffff802502600000 x18: 0000ffffdaa06b10
[763845.759145] x17: 00000000004201c8 x16: ffff0000082b2b10
[763845.759151] x15: 000000000003013f x14: 0000ffffa462ffe0
[763845.759157] x13: ffffffffffffffff x12: 0433526ae61f3300
[763845.759163] x11: ffff000009694b30 x10: 0000000000000001
[763845.759169] x9 : 000000000007b224 x8 : ffff000009719edc
[763845.759175] x7 : ffff7fe009409800 x6 : 00000045757af8cf
[763845.759181] x5 : ffff8027fced69f0 x4 : 0000000000000000
[763845.759187] x3 : 0000000000000000 x2 : 0433526ae61f3300
[763845.759192] x1 : 0000000000000000 x0 : dead000000000100
[763845.759200] Process cat (pid: 57988, stack limit = 0xffff000037440000)
[763845.759203] Call trace:
[763845.759207] Exception stack(0xffff00003744fb50 to 0xffff00003744fc90)
[763845.759211] fb40:                                   dead000000000100 0000000000000000
[768745.759215] fb60: 0433526ae61f3300 0000000000000000 0000000000000000 ffff8027fced69f0
[763845.759219] fb80: 00000045757af8cf ffff7fe009409800 ffff000009719edc 000000000007b224
[763845.759222] fba0: 0000000000000001 ffff000009694b30 0433526ae61f3300 ffffffffffffffff
[763845.759226] fbc0: 0000ffffa462ffe0 000000000003013f ffff0000082b2b10 00000000004201c8
[763845.759231] fbe0: 0000ffffdaa06b10 ffff802502600000 ffff802502600000 ffff00000823432c
[763845.759235] fc00: 0000000013dc0000 0000000000010000 00000000000000af ffff802502600000
[763845.759238] fc20: ffff000002970f48 ffff0000088a1000 ffff8027dc87b800 ffff00003744fc90
[763845.759243] fc40: ffff00000823432c ffff00003744fc90 ffff00000828878c 0000000060400009
[763845.759247] fc60: ffff00003744feb0 0000000013dc0000 0000ffffffffffff 0000000000000023
[763845.759250] fc80: ffff00003744fc90 ffff00000828878c
[763845.759259] [<ffff00000828878c>] kfree+0x19c/0x1a0
[763845.759263] [<ffff00000823432c>] kvfree+0x3c/0x58
[763845.759306] [<ffff00000295ab94>] hns3_dbg_read+0x94/0x240 [hns3]
[763845.759318] [<ffff000008359550>] full_proxy_read+0x60/0x90
[763845.759324] [<ffff0000082b22a4>] __vfs_read+0x58/0x178
[763845.759327] [<ffff0000082b2454>] vfs_read+0x90/0x14c
[763845.759332] [<ffff0000082b2b70>] SyS_read+0x60/0xc0

This patch adds a mutex lock to fix the race condition, and need
to call hns3_dbg_read_cmd() function when buffer is NULL to
avoid reading empty data.

Fixes: c91910ef ("net: hns3: refactor the debugfs process")
Signed-off-by: NYonglong Liu <liuyonglong@huawei.com>
Reviewed-by: Nli yongxin <liyongxin1@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/net/ethernet/hisilicon/hns3/hnae3.h

@@ -764,6 +764,7 @@ struct hnae3_handle {
 
 	u8 netdev_flags;
 	struct dentry *hnae3_dbgfs;
+	struct mutex dbgfs_lock;
 
 	/* Network interface message level enabled bits */
 	u32 msg_enable;

drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c

@@ -807,6 +807,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 	if (ret)
 		return ret;
 
+	mutex_lock(&handle->dbgfs_lock);
 	save_buf = &hns3_dbg_cmd[index].buf;
 
 	if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) ||
@@ -819,15 +820,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 		read_buf = *save_buf;
 	} else {
 		read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL);
-		if (!read_buf)
-			return -ENOMEM;
+		if (!read_buf) {
+			ret = -ENOMEM;
+			goto out;
+		}
 
 		/* save the buffer addr until the last read operation */
 		*save_buf = read_buf;
-	}
 
-	/* get data ready for the first time to read */
-	if (!*ppos) {
+		/* get data ready for the first time to read */
 		ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd,
 					read_buf, hns3_dbg_cmd[index].buf_len);
 		if (ret)
@@ -836,8 +837,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 
 	size = simple_read_from_buffer(buffer, count, ppos, read_buf,
 				       strlen(read_buf));
-	if (size > 0)
+	if (size > 0) {
+		mutex_unlock(&handle->dbgfs_lock);
 		return size;
+	}
 
 out:
 	/* free the buffer for the last read operation */
@@ -846,6 +849,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 		*save_buf = NULL;
 	}
 
+	mutex_unlock(&handle->dbgfs_lock);
 	return ret;
 }
 
@@ -916,6 +920,7 @@ int hns3_dbg_init(struct hnae3_handle *handle)
 			debugfs_create_dir(hns3_dbg_dentry[i].name,
 					   handle->hnae3_dbgfs);
 
+	mutex_init(&handle->dbgfs_lock);
 	for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) {
 		if (!hns3_dbg_cmd[i].init) {
 			dev_err(&handle->pdev->dev,
@@ -936,6 +941,7 @@ int hns3_dbg_init(struct hnae3_handle *handle)
 	return 0;
 
 out:
+	mutex_destroy(&handle->dbgfs_lock);
 	debugfs_remove_recursive(handle->hnae3_dbgfs);
 	handle->hnae3_dbgfs = NULL;
 	return ret;
@@ -951,6 +957,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle)
 			hns3_dbg_cmd[i].buf = NULL;
 		}
 
+	mutex_destroy(&handle->dbgfs_lock);
 	debugfs_remove_recursive(handle->hnae3_dbgfs);
 	handle->hnae3_dbgfs = NULL;
 }