Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-03-20 14:58:53 +0100
committerDenis Kirjanov <dkirjanov@suse.com>2019-03-21 09:58:54 +0100
commitf02276aa24db0bf171c5accdae7e463b60b1ef6d (patch)
tree8384d44366be854921619ae9815fecdaa9015757
parent69b065ba3ef3f7e78bb3bad4db75b7c5d067e5ca (diff)
net: thunderx: fix NULL pointer dereference in nic_remove (git-fixes).
-rw-r--r--patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch76
-rw-r--r--series.conf1
2 files changed, 77 insertions, 0 deletions
diff --git a/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch b/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
new file mode 100644
index 0000000000..0d1d3fb08f
--- /dev/null
+++ b/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
@@ -0,0 +1,76 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Subject: net: thunderx: fix NULL pointer dereference in nic_remove
+Patch-mainline: v4.20-rc5
+Git-commit: 24a6d2dd263bc910de018c78d1148b3e33b94512
+References: git-fixes
+
+Fix a possible NULL pointer dereference in nic_remove routine
+removing the nicpf module if nic_probe fails.
+The issue can be triggered with the following reproducer:
+
+$rmmod nicvf
+$rmmod nicpf
+
+[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
+[ 521.422777] Mem abort info:
+[ 521.425561] ESR = 0x96000004
+[ 521.428624] Exception class = DABT (current EL), IL = 32 bits
+[ 521.434535] SET = 0, FnV = 0
+[ 521.437579] EA = 0, S1PTW = 0
+[ 521.440730] Data abort info:
+[ 521.443603] ISV = 0, ISS = 0x00000004
+[ 521.447431] CM = 0, WnR = 0
+[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
+[ 521.457022] [0000000000000014] pgd=0000000000000000
+[ 521.461916] Internal error: Oops: 96000004 [#1] SMP
+[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
+[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
+[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf]
+[ 521.527808] lr : pci_device_remove+0x48/0xd8
+[ 521.532066] sp : ffff000013433cc0
+[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
+[ 521.540672] x27: 0000000000000000 x26: 0000000000000000
+[ 521.545974] x25: 0000000056000000 x24: 0000000000000015
+[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
+[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
+[ 521.561877] x19: 0000000000000000 x18: 0000000000000025
+[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
+[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001
+[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003
+[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
+[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
+[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
+[ 521.621490] Call trace:
+[ 521.623928] nic_remove+0x24/0x88 [nicpf]
+[ 521.627927] pci_device_remove+0x48/0xd8
+[ 521.631847] device_release_driver_internal+0x1b0/0x248
+[ 521.637062] driver_detach+0x50/0xc0
+[ 521.640628] bus_remove_driver+0x60/0x100
+[ 521.644627] driver_unregister+0x34/0x60
+[ 521.648538] pci_unregister_driver+0x24/0xd8
+[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf]
+[ 521.657672] __arm64_sys_delete_module+0x150/0x218
+[ 521.662460] el0_svc_handler+0x94/0x110
+[ 521.666287] el0_svc+0x8/0xc
+[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
+
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1441,6 +1441,9 @@ static void nic_remove(struct pci_dev *p
+ {
+ struct nicpf *nic = pci_get_drvdata(pdev);
+
++ if (!nic)
++ return;
++
+ if (nic->flags & NIC_SRIOV_ENABLED)
+ pci_disable_sriov(pdev);
+
diff --git a/series.conf b/series.conf
index 205d7f8a8f..9d89764d8c 100644
--- a/series.conf
+++ b/series.conf
@@ -19799,6 +19799,7 @@
patches.suse/0003-Btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
patches.fixes/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch
+ patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch
patches.fixes/ixgbe-recognize-1000BaseLX-SFP-modules-as-1Gbps.patch