Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751807AbdINPzk (ORCPT ); Thu, 14 Sep 2017 11:55:40 -0400 Received: from omzsmtpe01.verizonbusiness.com ([199.249.25.210]:46431 "EHLO omzsmtpe01.verizonbusiness.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdINPww (ORCPT ); Thu, 14 Sep 2017 11:52:52 -0400 From: "Levin, Alexander (Sasha Levin)" Cc: Feras Daoud , Or Gerlitz , Erez Shitrit , Leon Romanovsky , "Doug Ledford" , "Levin, Alexander (Sasha Levin)" X-Host: discovery.odc.vzwcorp.com To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: [PATCH for 4.9 37/59] IB/ipoib: rtnl_unlock can not come after free_netdev Thread-Topic: [PATCH for 4.9 37/59] IB/ipoib: rtnl_unlock can not come after free_netdev Thread-Index: AQHTLXFMkunRnVH+oEOf+CPPWeA6Ew== Date: Thu, 14 Sep 2017 15:51:15 +0000 Message-ID: <20170914155051.8289-37-alexander.levin@verizon.com> References: <20170914155051.8289-1-alexander.levin@verizon.com> In-Reply-To: <20170914155051.8289-1-alexander.levin@verizon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.144.60.250] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v8EFtiaH014054 Content-Length: 1507 Lines: 44 From: Feras Daoud [ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ] The ipoib_vlan_add function calls rtnl_unlock after free_netdev, rtnl_unlock not only releases the lock, but also calls netdev_run_todo. The latter function browses the net_todo_list array and completes the unregistration of all its net_device instances. If we call free_netdev before rtnl_unlock, then netdev_run_todo call over the freed device causes panic. To fix, move rtnl_unlock call before free_netdev call. Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") Cc: Or Gerlitz Signed-off-by: Feras Daoud Signed-off-by: Erez Shitrit Reviewed-by: Yuval Shaia Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin --- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c index 8151d1a6acb1..93b50be14438 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c @@ -165,11 +165,11 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) out: up_write(&ppriv->vlan_rwsem); + rtnl_unlock(); + if (result) free_netdev(priv->dev); - rtnl_unlock(); - return result; } -- 2.11.0