| Message ID | 20170317233007.16768-1-shiraz.saleem@intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Mar 17, 2017 at 06:30:07PM -0500, Shiraz Saleem wrote: > Netdev notification events are de-registered only when all > client iwdev instances are removed. If a single client is closed > and re-opened, netdev events could arrive even before the Control > Queue-Pair (CQP) is created, causing a NULL pointer dereference crash > in i40iw_get_cqp_request. Fix this by allowing netdev event > notification only after we have reached the INET_NOTIFIER state with > respect to device initialization. > > Reported-by: Stefan Assmann <sassmann@redhat.com> > Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> > --- > drivers/infiniband/hw/i40iw/i40iw_utils.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c > index d5f5de2..23df3ab 100644 > --- a/drivers/infiniband/hw/i40iw/i40iw_utils.c > +++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c > @@ -159,6 +159,9 @@ int i40iw_inetaddr_event(struct notifier_block *notifier, > return NOTIFY_DONE; > > iwdev = &hdl->device; > + if (iwdev->init_state < INET_NOTIFIER) > + return NOTIFY_DONE; > + > netdev = iwdev->ldev->netdev; > upper_dev = netdev_master_upper_dev_get(netdev); > if (netdev != event_netdev) > @@ -231,6 +234,9 @@ int i40iw_inet6addr_event(struct notifier_block *notifier, > return NOTIFY_DONE; > > iwdev = &hdl->device; > + if (iwdev->init_state < INET_NOTIFIER) > + return NOTIFY_DONE; > + > netdev = iwdev->ldev->netdev; > if (netdev != event_netdev) > return NOTIFY_DONE; > @@ -280,6 +286,8 @@ int i40iw_net_event(struct notifier_block *notifier, unsigned long event, void * > if (!iwhdl) > return NOTIFY_DONE; > iwdev = &iwhdl->device; > + if (iwdev->init_state < INET_NOTIFIER) > + return NOTIFY_DONE; > p = (__be32 *)neigh->primary_key; > i40iw_copy_ip_ntohl(local_ipaddr, p); > if (neigh->nud_state & NUD_VALID) { > -- > 2.8.3 Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 2017-03-17 at 18:30 -0500, Shiraz Saleem wrote: > Netdev notification events are de-registered only when all > client iwdev instances are removed. If a single client is closed > and re-opened, netdev events could arrive even before the Control > Queue-Pair (CQP) is created, causing a NULL pointer dereference crash > in i40iw_get_cqp_request. Fix this by allowing netdev event > notification only after we have reached the INET_NOTIFIER state with > respect to device initialization. > > Reported-by: Stefan Assmann <sassmann@redhat.com> > Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> Thanks, applied for -rc4.
diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c index d5f5de2..23df3ab 100644 --- a/drivers/infiniband/hw/i40iw/i40iw_utils.c +++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c @@ -159,6 +159,9 @@ int i40iw_inetaddr_event(struct notifier_block *notifier, return NOTIFY_DONE; iwdev = &hdl->device; + if (iwdev->init_state < INET_NOTIFIER) + return NOTIFY_DONE; + netdev = iwdev->ldev->netdev; upper_dev = netdev_master_upper_dev_get(netdev); if (netdev != event_netdev) @@ -231,6 +234,9 @@ int i40iw_inet6addr_event(struct notifier_block *notifier, return NOTIFY_DONE; iwdev = &hdl->device; + if (iwdev->init_state < INET_NOTIFIER) + return NOTIFY_DONE; + netdev = iwdev->ldev->netdev; if (netdev != event_netdev) return NOTIFY_DONE; @@ -280,6 +286,8 @@ int i40iw_net_event(struct notifier_block *notifier, unsigned long event, void * if (!iwhdl) return NOTIFY_DONE; iwdev = &iwhdl->device; + if (iwdev->init_state < INET_NOTIFIER) + return NOTIFY_DONE; p = (__be32 *)neigh->primary_key; i40iw_copy_ip_ntohl(local_ipaddr, p); if (neigh->nud_state & NUD_VALID) {
Netdev notification events are de-registered only when all client iwdev instances are removed. If a single client is closed and re-opened, netdev events could arrive even before the Control Queue-Pair (CQP) is created, causing a NULL pointer dereference crash in i40iw_get_cqp_request. Fix this by allowing netdev event notification only after we have reached the INET_NOTIFIER state with respect to device initialization. Reported-by: Stefan Assmann <sassmann@redhat.com> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> --- drivers/infiniband/hw/i40iw/i40iw_utils.c | 8 ++++++++ 1 file changed, 8 insertions(+)