]> git.itanic.dy.fi Git - linux-stable/commitdiff
projects / linux-stable / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c46f2e0)
ionic: catch NULL pointer issue on reconfig
authorBrett Creeley <brett@pensando.io>
Mon, 17 Oct 2022 23:31:23 +0000 (16:31 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 29 Oct 2022 08:08:34 +0000 (10:08 +0200)
[ Upstream commit aa1d7e1267c12e07d979aa34c613716a89029db2 ]

It's possible that the driver will dereference a qcq that doesn't exist
when calling ionic_reconfigure_queues(), which causes a page fault BUG.

If a reduction in the number of queues is followed by a different
reconfig such as changing the ring size, the driver can hit a NULL
pointer when trying to clean up non-existent queues.

Fix this by checking to make sure both the qcqs array and qcq entry
exists bofore trying to use and free the entry.

Fixes: 101b40a0171f ("ionic: change queue count with no reset")
Signed-off-by: Brett Creeley <brett@pensando.io>
Signed-off-by: Shannon Nelson <snelson@pensando.io>
Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/net/ethernet/pensando/ionic/ionic_lif.c patch | blob | history

diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index 0be79c51678133c7b98668d1670cfeeb54bafb85..6ae6d79193a3cfa67ea1a6aedef6b351fa517b59 100644 (file)
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -2820,11 +2820,15 @@ int ionic_reconfigure_queues(struct ionic_lif *lif,
         * than the full array, but leave the qcq shells in place
         */
        for (i = lif->nxqs; i < lif->ionic->ntxqs_per_lif; i++) {
-               lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
-               ionic_qcq_free(lif, lif->txqcqs[i]);
+               if (lif->txqcqs && lif->txqcqs[i]) {
+                       lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
+                       ionic_qcq_free(lif, lif->txqcqs[i]);
+               }
 
-               lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
-               ionic_qcq_free(lif, lif->rxqcqs[i]);
+               if (lif->rxqcqs && lif->rxqcqs[i]) {
+                       lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
+                       ionic_qcq_free(lif, lif->rxqcqs[i]);
+               }
        }
 
        if (err)
Unnamed repository; edit this file 'description' to name the repository.