diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2020-11-24 16:28:38 -0800 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2020-11-24 16:28:38 -0800 |
| commit | 49d66ed819629b2f82ff963420746015f241dfcb (patch) | |
| tree | d9ca6e0060d3280d3020aaa94fd57fc137d51617 | |
| parent | 5fc145f1558274726e4ce85d5b0418ebfb5bf837 (diff) | |
| parent | 3ada288150fb17ab3fcce2cf5fce20461f86b2ee (diff) | |
| download | linux-49d66ed819629b2f82ff963420746015f241dfcb.tar.gz | |
Merge branch 'ibmvnic-null-pointer-dereference'
Lijun Pan says:
====================
ibmvnic: null pointer dereference
Fix two NULL pointer dereference crash issues.
Improve module removal procedure.
====================
Link: https://lore.kernel.org/r/20201123193547.57225-1-ljp@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | drivers/net/ethernet/ibm/ibmvnic.c | 9 | ||||
| -rw-r--r-- | drivers/net/ethernet/ibm/ibmvnic.h | 3 |
2 files changed, 8 insertions, 4 deletions
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 2aa40b2f225c..2491ebc97871 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -2215,7 +2215,6 @@ static void __ibmvnic_reset(struct work_struct *work) if (!saved_state) { reset_state = adapter->state; - adapter->state = VNIC_RESETTING; saved_state = true; } spin_unlock_irqrestore(&adapter->state_lock, flags); @@ -2880,6 +2879,9 @@ static int reset_sub_crq_queues(struct ibmvnic_adapter *adapter) { int i, rc; + if (!adapter->tx_scrq || !adapter->rx_scrq) + return -EINVAL; + for (i = 0; i < adapter->req_tx_queues; i++) { netdev_dbg(adapter->netdev, "Re-setting tx_scrq[%d]\n", i); rc = reset_one_sub_crq_queue(adapter, adapter->tx_scrq[i]); @@ -4970,6 +4972,9 @@ static int ibmvnic_reset_crq(struct ibmvnic_adapter *adapter) } while (rc == H_BUSY || H_IS_LONG_BUSY(rc)); /* Clean out the queue */ + if (!crq->msgs) + return -EINVAL; + memset(crq->msgs, 0, PAGE_SIZE); crq->cur = 0; crq->active = false; @@ -5274,7 +5279,7 @@ static int ibmvnic_remove(struct vio_dev *dev) unsigned long flags; spin_lock_irqsave(&adapter->state_lock, flags); - if (adapter->state == VNIC_RESETTING) { + if (test_bit(0, &adapter->resetting)) { spin_unlock_irqrestore(&adapter->state_lock, flags); return -EBUSY; } diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h index 217dcc7ded70..47a3fd71c96f 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.h +++ b/drivers/net/ethernet/ibm/ibmvnic.h @@ -942,8 +942,7 @@ enum vnic_state {VNIC_PROBING = 1, VNIC_CLOSING, VNIC_CLOSED, VNIC_REMOVING, - VNIC_REMOVED, - VNIC_RESETTING}; + VNIC_REMOVED}; enum ibmvnic_reset_reason {VNIC_RESET_FAILOVER = 1, VNIC_RESET_MOBILITY, |