Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4302706pxu; Tue, 1 Dec 2020 01:19:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxgsinKlHag3ZyZEkwcA+riHf4CedCGpIwe/+Be8lOj6fxnOu6VrbzgItGpqA/r7vb+D2p8 X-Received: by 2002:a50:a6dd:: with SMTP id f29mr2032063edc.257.1606814387906; Tue, 01 Dec 2020 01:19:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606814387; cv=none; d=google.com; s=arc-20160816; b=T/YWI2XMSmvDts1kTFsq8/IlQ6QsSR0ABqZCmkJvmJp9joRMRn0I5XsYgmBPH8NDeb E6RyuQ2KSe4Lyjrv9xNeVI/jLGsrV9pc9/4WKJfZ2Vg8Fwsxhz6XE4dNL0yNRJjg7QA4 zDqmOg3TZdFYexKxj1MotSfLrsxtmwmnCyckML0FnQpgCe1EjQrYC7ySUOZqJrvGg2Vp DYVfuKE/nGdrQy2W/Dbah5Yz29l4G6cxfleeoTHwhQ5K/WTPJjjWYpZoFPL2i95wr/i2 lneGoYpX1CT1vY6i/hgC8vm3piVFu/B4CrVD22FjmJV2htiWqOslrrpKp4TD546bGbyr qJfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=m62Lqc/43yRB0Nt7m67UZZF3oai9IIOolBl0REobZr0=; b=BmyMa5j7qEZWJte2ofe7JrRLOFtNsepCtmnDARZrUGuthML1WMOSnoIvzDlUJ0aMjg vQ+eql/rqn1I87WYJGvoCbDMGBJji7UPrhiUsjtLXnb73J4BVDmTVQICk3m53KYZKWrL 0q0wxvxg9Xu9QAlHLKafzkZ1kStfb3Tjd8SdStYHFtPhnD87zKVKs5F18CzaNNI9A1X4 HLslIuqldp5s2SZJiWSO+av5+gKyN0LtpwquMV5uJeYEuVkiCBOKxwqPuNqZLWi94aqk r3dRn0fyqSSl6rnoeMXC9kODDKxj46oFKtHl/SQ1Ayd7KMMU8mxGqQiCEHry5sj+eUSC QPfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XrmQUlDg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u1si528800ejt.709.2020.12.01.01.19.24; Tue, 01 Dec 2020 01:19:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XrmQUlDg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390418AbgLAJPM (ORCPT + 99 others); Tue, 1 Dec 2020 04:15:12 -0500 Received: from mail.kernel.org ([198.145.29.99]:53428 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390330AbgLAJOh (ORCPT ); Tue, 1 Dec 2020 04:14:37 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BC5E5206C1; Tue, 1 Dec 2020 09:13:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606814037; bh=D5aqUC8VhWlQVkmKTyndGZW902xz52Tc/NAQHbCv22w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XrmQUlDgNz2igRHELv0OGDHC8M/0QrKDknToQdE1tgGKc0/gIh9tCAq2KX63Lf+aN pV17RaDrrA6KcIZv/M5jOsVOU9U2Cko4nignesPH6oBQasvqMc7f6i3+oPejsivA7t YcM6pc/2HKDt2nrrmMtCcoFr3PbkqkKvp/3JTcI8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lijun Pan , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.9 114/152] ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues Date: Tue, 1 Dec 2020 09:53:49 +0100 Message-Id: <20201201084726.788641206@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084711.707195422@linuxfoundation.org> References: <20201201084711.707195422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lijun Pan [ Upstream commit a0faaa27c71608799e0dd765c5af38a089091802 ] adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset did not complete after freeing sub crqs. Check for NULL before dereferencing them. Snippet of call trace: ibmvnic 30000006 env6: Releasing sub-CRQ ibmvnic 30000006 env6: Releasing CRQ ... ibmvnic 30000006 env6: Got Control IP offload Response ibmvnic 30000006 env6: Re-setting tx_scrq[0] BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc008000003dea7cc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag tun bridge stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmvnic ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod CPU: 80 PID: 1856 Comm: kworker/80:2 Tainted: G W 5.8.0+ #4 Workqueue: events __ibmvnic_reset [ibmvnic] NIP: c008000003dea7cc LR: c008000003dea7bc CTR: 0000000000000000 REGS: c0000007ef7db860 TRAP: 0380 Tainted: G W (5.8.0+) MSR: 800000000280b033 CR: 28002422 XER: 0000000d CFAR: c000000000bd9520 IRQMASK: 0 GPR00: c008000003dea7bc c0000007ef7dbaf0 c008000003df7400 c0000007fa26ec00 GPR04: c0000007fcd0d008 c0000007fcd96350 0000000000000027 c0000007fcd0d010 GPR08: 0000000000000023 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c00000001ec18e00 c0000000001982f8 c0000007bad6e840 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 fffffffffffffef7 GPR24: 0000000000000402 c0000007fa26f3a8 0000000000000003 c00000016f8ec048 GPR28: 0000000000000000 0000000000000000 0000000000000000 c0000007fa26ec00 NIP [c008000003dea7cc] ibmvnic_reset_init+0x15c/0x258 [ibmvnic] LR [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] Call Trace: [c0000007ef7dbaf0] [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] (unreliable) [c0000007ef7dbb80] [c008000003de8860] __ibmvnic_reset+0x408/0x970 [ibmvnic] [c0000007ef7dbc50] [c00000000018b7cc] process_one_work+0x2cc/0x800 [c0000007ef7dbd20] [c00000000018bd78] worker_thread+0x78/0x520 [c0000007ef7dbdb0] [c0000000001984c4] kthread+0x1d4/0x1e0 [c0000007ef7dbe20] [c00000000000cea8] ret_from_kernel_thread+0x5c/0x74 Fixes: 57a49436f4e8 ("ibmvnic: Reset sub-crqs during driver reset") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 0341089743ff1..349d0b3d9edc3 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -2887,6 +2887,9 @@ static int reset_sub_crq_queues(struct ibmvnic_adapter *adapter) { int i, rc; + if (!adapter->tx_scrq || !adapter->rx_scrq) + return -EINVAL; + for (i = 0; i < adapter->req_tx_queues; i++) { netdev_dbg(adapter->netdev, "Re-setting tx_scrq[%d]\n", i); rc = reset_one_sub_crq_queue(adapter, adapter->tx_scrq[i]); -- 2.27.0