netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jakub Kicinski <kuba@kernel.org>
To: Lijun Pan <ljp@linux.ibm.com>
Cc: netdev@vger.kernel.org, sukadev@linux.ibm.com, drt@linux.ibm.com
Subject: Re: [PATCH net 12/15] ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues
Date: Sat, 21 Nov 2020 15:44:20 -0800	[thread overview]
Message-ID: <20201121154420.4e9e8f0b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> (raw)
In-Reply-To: <20201120224049.46933-13-ljp@linux.ibm.com>

On Fri, 20 Nov 2020 16:40:46 -0600 Lijun Pan wrote:
> adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset
> did not complete after freeing sub crqs. Check for NULL before
> dereferencing them.

> diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
> index 47446e5f8ec5..a0dbd963a1ab 100644
> --- a/drivers/net/ethernet/ibm/ibmvnic.c
> +++ b/drivers/net/ethernet/ibm/ibmvnic.c
> @@ -2930,6 +2930,13 @@ static int reset_sub_crq_queues(struct ibmvnic_adapter *adapter)
>  {
>  	int i, rc;
>  
> +	if (!adapter->tx_scrq || !adapter->rx_scrq) {
> +		netdev_err(adapter->netdev,
> +			   "tx_scrq (%p) or rx_scrq (%p) does not exist\n",
> +			   adapter->tx_scrq, adapter->rx_scrq);

This is expected to happen for the condition you describe in the commit
message. Either prevent it from happening or silently ignore.

What's the impact to the user when this happens? Why would they want to
know that some pointer is NULL? Presumably there is already a message
printed when reset does not complete or such?

> +		return -EINVAL;
> +	}
> +
>  	for (i = 0; i < adapter->req_tx_queues; i++) {
>  		netdev_dbg(adapter->netdev, "Re-setting tx_scrq[%d]\n", i);
>  		rc = reset_one_sub_crq_queue(adapter, adapter->tx_scrq[i]);


  reply	other threads:[~2020-11-21 23:44 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-20 22:40 [PATCH net 00/15] ibmvnic: assorted bug fixes Lijun Pan
2020-11-20 22:40 ` [PATCH net 01/15] ibmvnic: handle inconsistent login with reset Lijun Pan
2020-11-21 23:36   ` Jakub Kicinski
2020-11-20 22:40 ` [PATCH net 02/15] ibmvnic: process HMC disable command Lijun Pan
2020-11-21 23:36   ` Jakub Kicinski
2020-11-21 23:38     ` Jakub Kicinski
2020-11-22 15:12     ` drt
2020-11-23 19:43       ` Jakub Kicinski
2020-11-23 21:46         ` drt
2020-11-20 22:40 ` [PATCH net 03/15] ibmvnic: stop free_all_rwi on failed reset Lijun Pan
2020-11-20 22:40 ` [PATCH net 04/15] ibmvnic: remove free_all_rwi function Lijun Pan
2020-11-21 23:39   ` Jakub Kicinski
2020-11-20 22:40 ` [PATCH net 05/15] ibmvnic: avoid memset null scrq msgs Lijun Pan
2020-11-20 22:40 ` [PATCH net 06/15] ibmvnic: restore adapter state on failed reset Lijun Pan
2020-11-20 22:40 ` [PATCH net 07/15] ibmvnic: delay next reset if hard reset failed Lijun Pan
2020-11-20 22:40 ` [PATCH net 08/15] ibmvnic: track pending login Lijun Pan
2020-11-20 22:40 ` [PATCH net 09/15] ibmvnic: send_login should check for crq errors Lijun Pan
2020-11-20 22:40 ` [PATCH net 10/15] ibmvnic: no reset timeout for 5 seconds after reset Lijun Pan
2020-11-20 23:01   ` drt
2020-11-20 22:40 ` [PATCH net 11/15] ibmvnic: reduce wait for completion time Lijun Pan
2020-11-20 22:40 ` [PATCH net 12/15] ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues Lijun Pan
2020-11-21 23:44   ` Jakub Kicinski [this message]
2020-11-20 22:40 ` [PATCH net 13/15] ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq Lijun Pan
2020-11-20 22:40 ` [PATCH net 14/15] ibmvnic: enhance resetting status check during module exit Lijun Pan
2020-11-20 22:40 ` [PATCH net 15/15] ibmvnic: add some debugs Lijun Pan
2020-11-21 23:45   ` Jakub Kicinski
2020-11-23 19:48     ` Sukadev Bhattiprolu
2020-11-23 19:38 ` [PATCH net 00/15] ibmvnic: assorted bug fixes ljp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201121154420.4e9e8f0b@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com \
    --to=kuba@kernel.org \
    --cc=drt@linux.ibm.com \
    --cc=ljp@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=sukadev@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).