Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4143594pxb; Mon, 27 Sep 2021 10:15:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuHd4LsZQAlUS7ySXPIWmoQVN5wCeF0JQBw4lX7Ru5PrQDgtupQgguyLXuYKNb3f+WbPzq X-Received: by 2002:a17:90b:4ac1:: with SMTP id mh1mr210340pjb.238.1632762956538; Mon, 27 Sep 2021 10:15:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632762956; cv=none; d=google.com; s=arc-20160816; b=XrOFnEXSn6HymmPtOa2n5zCuxRgJN7oH8wI8/+ljBZOLbcJ9Q0o5Q2UoQ3CEGjPl0W uKoP1f2DJAHH5uOrnSKrdxpsTJSVQdKuNFUG0zawmYEMC+mBcgolDRRPgos+1DRcGVbt 8OR7K2cbYhw9xNUlnK923W3a0NrR22/nPvDcSJIwRNR1UWxGcAvdVBuVaWpi/l6mInZM /1jJ3yoc/D5iEruarmpRwi11603seF8CDdGnxxze24dNIFsaJQjWanZWB/tjD6UH7ecF beS2JAFHRXGR3e68vPTfHuaBgNs+m5xf0AIdA0lbHMNsKc7w/7fSc2sA++hja/muS41e N3tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Q4pC85WwqKFUpMzuKDneAQrFus0F0m0EKOionKwJQcY=; b=DZOCImnignSulTcvY01Z6EHpH7g8vEy3x31FwxWzE7LVYGddcBypc5WWcTry47EhgB JRucCfwAY4UVsFWGI9Pwjsidxm/6xbUMr3NN619H+rOqG7mdd+BNXO8D0UYN0cIrxErV rtzkbfRrRSvqyPYXjs61brxidA+GwnkIxgj5JUjZS05Sk4j7S6gm5lb8Yh9TuOot6hKo hiH9r+LMl6uvwE/unNDsPNZg+Jkg8M0RN03FFbKwoDfJU9b5g+a81smjiu8+9oq0tpZ4 s+7H5itUvQRFY7Z7OvQ2T81rBDOnQfUB7UshCYrunc6L5irxeTR2+6FnRjcNmoD9FpsL v87w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LgEs04bO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c23si21593966pgl.62.2021.09.27.10.15.43; Mon, 27 Sep 2021 10:15:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LgEs04bO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237008AbhI0RQg (ORCPT + 99 others); Mon, 27 Sep 2021 13:16:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:53906 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236324AbhI0RLn (ORCPT ); Mon, 27 Sep 2021 13:11:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CA6BA61205; Mon, 27 Sep 2021 17:08:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632762502; bh=+IVlsfsqQGtAQEzOZrYN1MEkm3qMZKeYc6Xdqh4kBhw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LgEs04bOX7zJHXDHAML617sW5jFaHlHKuKDczrLfgo0WVWn/UYYZAI6e7ZzwI/7qg PFVgBvWkD8rXOG9HUDF1RqAb+8Df4iQeheMtAUlCU/X9oGaKNyoJ7tpjoh4eq70uKN K4UQl5OeTBRqd2pdEhVUvWKUfTelHbIoFHBsfZag= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stefan Raspl , Julian Wiedmann , Alexandra Winter , Jakub Kicinski , Sasha Levin , Heiko Carstens Subject: [PATCH 5.10 047/103] s390/qeth: fix NULL deref in qeth_clear_working_pool_list() Date: Mon, 27 Sep 2021 19:02:19 +0200 Message-Id: <20210927170227.382896885@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210927170225.702078779@linuxfoundation.org> References: <20210927170225.702078779@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julian Wiedmann [ Upstream commit 248f064af222a1f97ee02c84a98013dfbccad386 ] When qeth_set_online() calls qeth_clear_working_pool_list() to roll back after an error exit from qeth_hardsetup_card(), we are at risk of accessing card->qdio.in_q before it was allocated by qeth_alloc_qdio_queues() via qeth_mpc_initialize(). qeth_clear_working_pool_list() then dereferences NULL, and by writing to queue->bufs[i].pool_entry scribbles all over the CPU's lowcore. Resulting in a crash when those lowcore areas are used next (eg. on the next machine-check interrupt). Such a scenario would typically happen when the device is first set online and its queues aren't allocated yet. An early IO error or certain misconfigs (eg. mismatched transport mode, bad portno) then cause us to error out from qeth_hardsetup_card() with card->qdio.in_q still being NULL. Fix it by checking the pointer for NULL before accessing it. Note that we also have (rare) paths inside qeth_mpc_initialize() where a configuration change can cause us to free the existing queues, expecting that subsequent code will allocate them again. If we then error out before that re-allocation happens, the same bug occurs. Fixes: eff73e16ee11 ("s390/qeth: tolerate pre-filled RX buffer") Reported-by: Stefan Raspl Root-caused-by: Heiko Carstens Signed-off-by: Julian Wiedmann Reviewed-by: Alexandra Winter Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/s390/net/qeth_core_main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c index 4d51c4ace8ea..7b0155b0e99e 100644 --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -210,6 +210,9 @@ static void qeth_clear_working_pool_list(struct qeth_card *card) &card->qdio.in_buf_pool.entry_list, list) list_del(&pool_entry->list); + if (!queue) + return; + for (i = 0; i < ARRAY_SIZE(queue->bufs); i++) queue->bufs[i].pool_entry = NULL; } -- 2.33.0