Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4293249pxu; Tue, 1 Dec 2020 01:02:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJyyoPTnJmy4Zj4Fy3O9OQ4NStCQGdZ/ZPX/khAdh0RbR8cJtswHHS25LwJIqRi4x13XfKWZ X-Received: by 2002:a17:906:1458:: with SMTP id q24mr2031168ejc.541.1606813350548; Tue, 01 Dec 2020 01:02:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606813350; cv=none; d=google.com; s=arc-20160816; b=prGGG+8ztbO/AmBFzTHT4+v3vuvQDgsu5clSrzk4ypPww9HgNJ2yI0vCqMeb6EQ2lr nB4qAfbEg9owiswkfsOwzm0tX1WZT6ohnKRj+6uFQA57k5D7eebS+MEGEvQWiE6wYwv0 IgeqmzBk60dzbZVcoBEtEEOQVHBTxZjB8reJS8BceknEK1SEmTkosNMviGENpOHo3g06 Zh40I2TACzTxzxOsQL9x/PThkCfMkmybuR6XzxofbkxdYeNFBOTQSxfcHgjI/404L1Qu dAIjUQm/RZgGD4Z3ERFmNbM6YzAWyjdqbhrCwSXhLtalvCd8Ks3B9JdHE/BG+h2FP/W7 s5fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=K9achXJRGVfZDv7Mra2clLL0g7sabTt6aTs8bAmyWC8=; b=hkDBdAh7/OKRry3Ty+oOaOyrrQouAi/4wpW8gxcDAmDSk/h5oeH67Qqc9WEIOJGwig P6cctC45YLrgeWRE2j+nGLbX1kOFEWww7Ud6SLutkOO62LoRhFfjxbrCGwgW1MEPxEBu CiWfCsqQ4mI4YjNtnHeSeak1dGehIJp3AEY2EIIa3Wqbao33MuAh+ZMhe/A9+WAhPmXN 7LyKl52nirZS8DyQjzVdIeIADHVUQHH6Ff5ziVgGeUIESSu8cpLQzHBL5fTFMhNjUHFT TplfA3GICkzQ7QGGSO4q2hJhDQaF+MwKUFSmHPPnA9uvjspmC8E2QToNEIRPA/DGP2X+ mMkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=v9XcBC9N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hq1si488955ejc.530.2020.12.01.01.02.06; Tue, 01 Dec 2020 01:02:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=v9XcBC9N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387633AbgLAI7T (ORCPT + 99 others); Tue, 1 Dec 2020 03:59:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:34832 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388069AbgLAI7I (ORCPT ); Tue, 1 Dec 2020 03:59:08 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5419622249; Tue, 1 Dec 2020 08:58:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606813107; bh=BOfwdZFKDLBte/msbOYCS0MllbTmBx7OMxGJQh+Bc8Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v9XcBC9NWUsMvJDgf+7CM6u8dvLuVzt/HAJ+UZ2N34S+LmeemaX2VUk5+mWgijJBv rwuEfKVg8BOk3oNL+h6xQvfwOvDXZiIbXcag5OHNSYdusmFs2cApmISJv12qJGPhVl opJ+GGZCvJxm2xAMWbRkd/XYyVlleOjXTtQiewzU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lijun Pan , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.14 36/50] ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues Date: Tue, 1 Dec 2020 09:53:35 +0100 Message-Id: <20201201084649.483905706@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084644.803812112@linuxfoundation.org> References: <20201201084644.803812112@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lijun Pan [ Upstream commit a0faaa27c71608799e0dd765c5af38a089091802 ] adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset did not complete after freeing sub crqs. Check for NULL before dereferencing them. Snippet of call trace: ibmvnic 30000006 env6: Releasing sub-CRQ ibmvnic 30000006 env6: Releasing CRQ ... ibmvnic 30000006 env6: Got Control IP offload Response ibmvnic 30000006 env6: Re-setting tx_scrq[0] BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc008000003dea7cc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag tun bridge stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmvnic ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod CPU: 80 PID: 1856 Comm: kworker/80:2 Tainted: G W 5.8.0+ #4 Workqueue: events __ibmvnic_reset [ibmvnic] NIP: c008000003dea7cc LR: c008000003dea7bc CTR: 0000000000000000 REGS: c0000007ef7db860 TRAP: 0380 Tainted: G W (5.8.0+) MSR: 800000000280b033 CR: 28002422 XER: 0000000d CFAR: c000000000bd9520 IRQMASK: 0 GPR00: c008000003dea7bc c0000007ef7dbaf0 c008000003df7400 c0000007fa26ec00 GPR04: c0000007fcd0d008 c0000007fcd96350 0000000000000027 c0000007fcd0d010 GPR08: 0000000000000023 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c00000001ec18e00 c0000000001982f8 c0000007bad6e840 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 fffffffffffffef7 GPR24: 0000000000000402 c0000007fa26f3a8 0000000000000003 c00000016f8ec048 GPR28: 0000000000000000 0000000000000000 0000000000000000 c0000007fa26ec00 NIP [c008000003dea7cc] ibmvnic_reset_init+0x15c/0x258 [ibmvnic] LR [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] Call Trace: [c0000007ef7dbaf0] [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] (unreliable) [c0000007ef7dbb80] [c008000003de8860] __ibmvnic_reset+0x408/0x970 [ibmvnic] [c0000007ef7dbc50] [c00000000018b7cc] process_one_work+0x2cc/0x800 [c0000007ef7dbd20] [c00000000018bd78] worker_thread+0x78/0x520 [c0000007ef7dbdb0] [c0000000001984c4] kthread+0x1d4/0x1e0 [c0000007ef7dbe20] [c00000000000cea8] ret_from_kernel_thread+0x5c/0x74 Fixes: 57a49436f4e8 ("ibmvnic: Reset sub-crqs during driver reset") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 8b8a0c4fbc993..3f2816af7b250 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -1977,6 +1977,9 @@ static int reset_sub_crq_queues(struct ibmvnic_adapter *adapter) { int i, rc; + if (!adapter->tx_scrq || !adapter->rx_scrq) + return -EINVAL; + for (i = 0; i < adapter->req_tx_queues; i++) { netdev_dbg(adapter->netdev, "Re-setting tx_scrq[%d]\n", i); rc = reset_one_sub_crq_queue(adapter, adapter->tx_scrq[i]); -- 2.27.0