Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp403843pxu; Tue, 1 Dec 2020 14:23:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOSQJv8bzo+M52k+Uh6MyL9zgJtntL2AC9b838aC9a53WlEBP8WS4L6cBepnWGDr/aMkDe X-Received: by 2002:a17:906:94ca:: with SMTP id d10mr4955043ejy.62.1606861429255; Tue, 01 Dec 2020 14:23:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606861429; cv=none; d=google.com; s=arc-20160816; b=iCMAop7duGattVOnAMj3t+gT7rCuRmf16s+PHHklp5vs/C48x6pE/HcI2tU/Wcjtn5 YbpvoigrspXHUb0g6nW6TkuwiVZH8p+e4XzE5oVNcEVNMncP5Q8Hr2soGv831HZ0JJQu KjIVB/6YODQc4RzJ+GnP2O8coKFWU4PUSFXLD8AQX3cIa5mKW8sUtPmtiW4cGNuEkb/3 BR/pxTfaU1ktbRlIqPNXcz9oJknjbuUU+IxPiUcJaYDG8Wvze5xE8k7BWv0b/ypCvAQe PXTbJ0SKs8iDfIGBXH3o8tVJ94QUkONvJ1RaQfPndQ4C59WRG7mmWwVlOaRAc2wpcFrX YJLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MACyw5bB1elQULwmifFeDwKhFYUX2DCOldWLRI/FArQ=; b=uyZFv/UcZW9XhkHo3qHGFhQuJQ4AT+PhfkdS9AHj1MXUay5mRM+0YGq9DmupEuqVji 9/lx+tuJETZTy4hxe99ywWHw8Kg0LZcW0+9CYMbtjn+ZXRtkltx8+hhlUE9TIImAgtZq n3f4iNczJ9YGwDHrdOmiOF/fSK67uhyUYO7PCG2FO5f1MXN07lbDVXYX/9TGDPJfhkT6 NNEdS17m84GG2Ly01tSjFnEjqb7IMz1eHpIdm4OCXjeYC4bkd9CZVaOcNRRndhVOLhwK yNobSefAgd+vdIWVNc/1ANTuhMDlS4ruempWCMlRzRBsAfnIccblt+GZwE1HTX6tZNyJ Xmvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zt70Bpr5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si807198ejn.294.2020.12.01.14.23.27; Tue, 01 Dec 2020 14:23:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zt70Bpr5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389259AbgLAJId (ORCPT + 99 others); Tue, 1 Dec 2020 04:08:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:42876 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389119AbgLAJHE (ORCPT ); Tue, 1 Dec 2020 04:07:04 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 520C32222A; Tue, 1 Dec 2020 09:06:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606813602; bh=P7s0gKDLSw1bSNQbsFFUnn7MXsz4NHoJBoXxiN7IXWY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zt70Bpr5eHZ0vTkrD48wlxqCq5YUQRP8LkazegsiH7B/CViBS6IRhwezZrJr39D9x XBh0WZib0yjq+8m4YWsqxxEKSekauA4ZzaeYd/7HW9vYtPz8VYPfr8t3lih5XRQQGe p8+9kfelqg/v4YlHbIEvAWzEHi3iHqD7k60P+OtM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lijun Pan , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 65/98] ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues Date: Tue, 1 Dec 2020 09:53:42 +0100 Message-Id: <20201201084658.269011861@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201201084652.827177826@linuxfoundation.org> References: <20201201084652.827177826@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lijun Pan [ Upstream commit a0faaa27c71608799e0dd765c5af38a089091802 ] adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset did not complete after freeing sub crqs. Check for NULL before dereferencing them. Snippet of call trace: ibmvnic 30000006 env6: Releasing sub-CRQ ibmvnic 30000006 env6: Releasing CRQ ... ibmvnic 30000006 env6: Got Control IP offload Response ibmvnic 30000006 env6: Re-setting tx_scrq[0] BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc008000003dea7cc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag tun bridge stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmvnic ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod CPU: 80 PID: 1856 Comm: kworker/80:2 Tainted: G W 5.8.0+ #4 Workqueue: events __ibmvnic_reset [ibmvnic] NIP: c008000003dea7cc LR: c008000003dea7bc CTR: 0000000000000000 REGS: c0000007ef7db860 TRAP: 0380 Tainted: G W (5.8.0+) MSR: 800000000280b033 CR: 28002422 XER: 0000000d CFAR: c000000000bd9520 IRQMASK: 0 GPR00: c008000003dea7bc c0000007ef7dbaf0 c008000003df7400 c0000007fa26ec00 GPR04: c0000007fcd0d008 c0000007fcd96350 0000000000000027 c0000007fcd0d010 GPR08: 0000000000000023 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c00000001ec18e00 c0000000001982f8 c0000007bad6e840 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 fffffffffffffef7 GPR24: 0000000000000402 c0000007fa26f3a8 0000000000000003 c00000016f8ec048 GPR28: 0000000000000000 0000000000000000 0000000000000000 c0000007fa26ec00 NIP [c008000003dea7cc] ibmvnic_reset_init+0x15c/0x258 [ibmvnic] LR [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] Call Trace: [c0000007ef7dbaf0] [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] (unreliable) [c0000007ef7dbb80] [c008000003de8860] __ibmvnic_reset+0x408/0x970 [ibmvnic] [c0000007ef7dbc50] [c00000000018b7cc] process_one_work+0x2cc/0x800 [c0000007ef7dbd20] [c00000000018bd78] worker_thread+0x78/0x520 [c0000007ef7dbdb0] [c0000000001984c4] kthread+0x1d4/0x1e0 [c0000007ef7dbe20] [c00000000000cea8] ret_from_kernel_thread+0x5c/0x74 Fixes: 57a49436f4e8 ("ibmvnic: Reset sub-crqs during driver reset") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 717f793455056..238915410d79a 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -2767,6 +2767,9 @@ static int reset_sub_crq_queues(struct ibmvnic_adapter *adapter) { int i, rc; + if (!adapter->tx_scrq || !adapter->rx_scrq) + return -EINVAL; + for (i = 0; i < adapter->req_tx_queues; i++) { netdev_dbg(adapter->netdev, "Re-setting tx_scrq[%d]\n", i); rc = reset_one_sub_crq_queue(adapter, adapter->tx_scrq[i]); -- 2.27.0