github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
4b7441fac9
linux/drivers/net
History
Lijun Pan 4b7441fac9 ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues 
[ Upstream commit a0faaa27c7 ]

adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset
did not complete after freeing sub crqs. Check for NULL before
dereferencing them.

Snippet of call trace:
ibmvnic 30000006 env6: Releasing sub-CRQ
ibmvnic 30000006 env6: Releasing CRQ
...
ibmvnic 30000006 env6: Got Control IP offload Response
ibmvnic 30000006 env6: Re-setting tx_scrq[0]
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc008000003dea7cc
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag tun bridge stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmvnic ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod
CPU: 80 PID: 1856 Comm: kworker/80:2 Tainted: G        W         5.8.0+ #4
Workqueue: events __ibmvnic_reset [ibmvnic]
NIP:  c008000003dea7cc LR: c008000003dea7bc CTR: 0000000000000000
REGS: c0000007ef7db860 TRAP: 0380   Tainted: G        W          (5.8.0+)
MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 28002422  XER: 0000000d
CFAR: c000000000bd9520 IRQMASK: 0
GPR00: c008000003dea7bc c0000007ef7dbaf0 c008000003df7400 c0000007fa26ec00
GPR04: c0000007fcd0d008 c0000007fcd96350 0000000000000027 c0000007fcd0d010
GPR08: 0000000000000023 0000000000000000 0000000000000000 0000000000000000
GPR12: 0000000000002000 c00000001ec18e00 c0000000001982f8 c0000007bad6e840
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 0000000000000000 fffffffffffffef7
GPR24: 0000000000000402 c0000007fa26f3a8 0000000000000003 c00000016f8ec048
GPR28: 0000000000000000 0000000000000000 0000000000000000 c0000007fa26ec00
NIP [c008000003dea7cc] ibmvnic_reset_init+0x15c/0x258 [ibmvnic]
LR [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic]
Call Trace:
[c0000007ef7dbaf0] [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] (unreliable)
[c0000007ef7dbb80] [c008000003de8860] __ibmvnic_reset+0x408/0x970 [ibmvnic]
[c0000007ef7dbc50] [c00000000018b7cc] process_one_work+0x2cc/0x800
[c0000007ef7dbd20] [c00000000018bd78] worker_thread+0x78/0x520
[c0000007ef7dbdb0] [c0000000001984c4] kthread+0x1d4/0x1e0
[c0000007ef7dbe20] [c00000000000cea8] ret_from_kernel_thread+0x5c/0x74

Fixes: 57a49436f4 ("ibmvnic: Reset sub-crqs during driver reset")
Signed-off-by: Lijun Pan <ljp@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-12-02 08:48:12 +01:00
..
appletalk
arcnet
bonding bonding: set dev->needed_headroom in bond_setup_by_slave() 2020-10-14 10:31:25 +02:00
caif
can can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits 2020-11-24 13:27:23 +01:00
dsa net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 2020-11-24 13:27:17 +01:00
ethernet ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues 2020-12-02 08:48:12 +01:00
fddi
fjes
hamradio yam: fix possible memory leak in yam_init_driver 2020-06-25 15:32:51 +02:00
hippi hippi: Fix a size used in a 'pci_free_consistent()' in an error handling path 2020-07-29 10:16:48 +02:00
hyperv hv_netvsc: Remove "unlikely" from netvsc_select_queue 2020-09-23 12:10:57 +02:00
ieee802154 ieee802154/adf7242: check status of adf7242_read_reg 2020-10-01 13:14:51 +02:00
ipvlan ipvlan: fix device features 2020-09-03 11:24:17 +02:00
netdevsim
phy sfp: Fix error handing in sfp_probe() 2020-11-10 12:35:54 +01:00
plip
ppp pppoe: only process PADT targeted at local interfaces 2020-05-20 08:18:36 +02:00
slip
team net: team: fix memory leak in __team_options_register 2020-10-14 10:31:24 +02:00
usb net: usb: qmi_wwan: Set DTR quirk for MR400 2020-11-24 13:27:19 +01:00
vmxnet3 net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() 2020-06-22 09:05:12 +02:00
wan cosa: Add missing kfree in error path of cosa_write 2020-11-18 19:18:48 +01:00
wimax wimax/i2400m: Fix potential urb refcnt leak 2020-05-10 10:30:08 +02:00
wireless ath9k_htc: Use appropriate rs_datalen type 2020-11-18 19:18:44 +01:00
xen-netback xen/netback: use lateeoi irq binding 2020-11-05 11:08:36 +01:00
dummy.c
eql.c
geneve.c ip_tunnels: Set tunnel option flag when tunnel metadata is present 2020-11-24 13:27:21 +01:00
gtp.c gtp: fix an use-before-init in gtp_newlink() 2020-11-05 11:08:32 +01:00
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c macsec: avoid use-after-free in macsec_handle_frame() 2020-10-14 10:31:23 +02:00
macvlan.c macvlan: validate setting of multiple remote source MAC addresses 2020-09-03 11:24:26 +02:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c net_failover: fixed rollback in net_failover_open() 2020-06-22 09:04:58 +02:00
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: correct header offsets in napi frags mode 2020-06-22 09:04:58 +02:00
veth.c veth: Adjust hard_start offset on redirect XDP frames 2020-06-22 09:05:17 +02:00
virtio_net.c virtio_net: fix lockdep warning on 32 bit 2020-05-20 08:18:37 +02:00
vrf.c vrf: Fix fast path output packet handling with async Netfilter rules 2020-11-18 19:18:52 +01:00
vsockmon.c
vxlan.c Revert "vxlan: fix tos value before xmit" 2020-08-11 15:32:35 +02:00
xen-netfront.c xen-netfront: fix potential deadlock in xennet_remove() 2020-08-05 10:06:05 +02:00