[net,v2,3/9] ibmvnic: avoid memset null scrq msgs

Message ID	20201123235757.6466-4-drt@linux.ibm.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Dany Madden <drt@linux.ibm.com> To: netdev@vger.kernel.org Cc: drt@linux.ibm.com, sukadev@linux.ibm.com, ljp@linux.ibm.com Subject: [PATCH net v2 3/9] ibmvnic: avoid memset null scrq msgs Date: Mon, 23 Nov 2020 18:57:51 -0500 Message-Id: <20201123235757.6466-4-drt@linux.ibm.com> In-Reply-To: <20201123235757.6466-1-drt@linux.ibm.com> References: <20201123235757.6466-1-drt@linux.ibm.com> Precedence: bulk
Series	ibmvnic: assorted bug fixes \| expand [net,v2,0/9] ibmvnic: assorted bug fixes [net,v2,1/9] ibmvnic: handle inconsistent login with reset [net,v2,2/9] ibmvnic: stop free_all_rwi on failed reset [net,v2,3/9] ibmvnic: avoid memset null scrq msgs [net,v2,4/9] ibmvnic: restore adapter state on failed reset [net,v2,5/9] ibmvnic: delay next reset if hard reset fails [net,v2,6/9] ibmvnic: track pending login [net,v2,7/9] ibmvnic: send_login should check for crq errors [net,v2,8/9] ibmvnic: no reset timeout for 5 seconds after reset [net,v2,9/9] ibmvnic: reduce wait for completion time

Message ID

20201123235757.6466-4-drt@linux.ibm.com (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Dany Madden <drt@linux.ibm.com>
To: netdev@vger.kernel.org
Cc: drt@linux.ibm.com, sukadev@linux.ibm.com, ljp@linux.ibm.com
Subject: [PATCH net v2 3/9] ibmvnic: avoid memset null scrq msgs
Date: Mon, 23 Nov 2020 18:57:51 -0500
Message-Id: <20201123235757.6466-4-drt@linux.ibm.com>
In-Reply-To: <20201123235757.6466-1-drt@linux.ibm.com>
References: <20201123235757.6466-1-drt@linux.ibm.com>
Precedence: bulk

Series

ibmvnic: assorted bug fixes | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net
netdev/subject_prefix	success	Link
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/kdoc	success	Errors and warnings before: 18 this patch: 18
netdev/verify_fixes	fail	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 30 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/header_inline	success	Link
netdev/stable	success	Stable not CCed

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Clearly marked for net

netdev/subject_prefix

success

Link

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/kdoc

success

Errors and warnings before: 18 this patch: 18

netdev/verify_fixes

fail

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 30 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/header_inline

success

Link

netdev/stable

success

Stable not CCed

Commit Message

Dany Madden Nov. 23, 2020, 11:57 p.m. UTC

scrq->msgs could be NULL during device reset, causing Linux to crash.
So, check before memset scrq->msgs.

Fixes: c8b2ad0a4a901 ("ibmvnic: Sanitize entire SCRQ buffer on reset")

Signed-off-by: Dany Madden <drt@linux.ibm.com>
Signed-off-by: Lijun Pan <ljp@linux.ibm.com>
---
 drivers/net/ethernet/ibm/ibmvnic.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

Comments

Jakub Kicinski Nov. 25, 2020, 8:52 p.m. UTC | #1

On Mon, 23 Nov 2020 18:57:51 -0500 Dany Madden wrote:
> scrq->msgs could be NULL during device reset, causing Linux to crash.
> So, check before memset scrq->msgs.
> 
> Fixes: c8b2ad0a4a901 ("ibmvnic: Sanitize entire SCRQ buffer on reset")
> 
> Signed-off-by: Dany Madden <drt@linux.ibm.com>

Thanks for the Fixes tags! Please remove the empty lines between the
Fixes tags and sign-offs, and make sure the Fixes lines are not wrapped
(e.g. in patch 9).

> Signed-off-by: Lijun Pan <ljp@linux.ibm.com>

> diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
> index d5a927bb4954..e84255c2fc72 100644
> --- a/drivers/net/ethernet/ibm/ibmvnic.c
> +++ b/drivers/net/ethernet/ibm/ibmvnic.c
> @@ -2844,16 +2844,26 @@ static int reset_one_sub_crq_queue(struct ibmvnic_adapter *adapter,
>  				   struct ibmvnic_sub_crq_queue *scrq)
>  {
>  	int rc;
> +	if (!scrq) {

Looks like a missing new line between variable declaration and code.

Not sure why checkpatch doesn't catch this.

diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
index d5a927bb4954..e84255c2fc72 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -2844,16 +2844,26 @@  static int reset_one_sub_crq_queue(struct ibmvnic_adapter *adapter,
 				   struct ibmvnic_sub_crq_queue *scrq)
 {
 	int rc;
+	if (!scrq) {
+		netdev_dbg(adapter->netdev,
+			   "Invalid scrq reset. irq (%d) or msgs (%p).\n",
+			   scrq->irq, scrq->msgs);
+		return -EINVAL;
+	}
 
 	if (scrq->irq) {
 		free_irq(scrq->irq, scrq);
 		irq_dispose_mapping(scrq->irq);
 		scrq->irq = 0;
 	}
-
-	memset(scrq->msgs, 0, 4 * PAGE_SIZE);
-	atomic_set(&scrq->used, 0);
-	scrq->cur = 0;
+	if (scrq->msgs) {
+		memset(scrq->msgs, 0, 4 * PAGE_SIZE);
+		atomic_set(&scrq->used, 0);
+		scrq->cur = 0;
+	} else {
+		netdev_dbg(adapter->netdev, "Invalid scrq reset\n");
+		return -EINVAL;
+	}
 
 	rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token,
 			   4 * PAGE_SIZE, &scrq->crq_num, &scrq->hw_irq);