diff options
| author |   Selvin Xavier <selvin.xavier@broadcom.com> | 2018-11-21 00:05:01 -0800 |
|---|---|---|
| committer |   Jason Gunthorpe <jgg@mellanox.com> | 2018-11-21 14:12:21 -0700 |
| commit | a6c66d6a08b88cc10aca9d3f65cfae31e7652a99 (patch) | |
| tree | 9b1060384692c4183f056a6f741a741d4aeb3045 /drivers/infiniband/hw/bnxt_re/main.c | |
| parent | RDMA/bnxt_re: Fix system hang when registration with L2 driver fails (diff) | |
| download | linux-dev-a6c66d6a08b88cc10aca9d3f65cfae31e7652a99.tar.xz linux-dev-a6c66d6a08b88cc10aca9d3f65cfae31e7652a99.zip | |
RDMA/bnxt_re: Avoid accessing the device structure after it is freed
When bnxt_re_ib_reg returns failure, the device structure gets
freed. Driver tries to access the device pointer
after it is freed.
[ 4871.034744] Failed to register with netedev: 0xffffffa1
[ 4871.034765] infiniband (null): Failed to register with IB: 0xffffffea
[ 4871.046430] ==================================================================
[ 4871.046437] BUG: KASAN: use-after-free in bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046439] Write of size 4 at addr ffff880fa8406f48 by task kworker/u48:2/17813
[ 4871.046443] CPU: 20 PID: 17813 Comm: kworker/u48:2 Kdump: loaded Tainted: G B OE 4.20.0-rc1+ #42
[ 4871.046444] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
[ 4871.046447] Workqueue: bnxt_re bnxt_re_task [bnxt_re]
[ 4871.046449] Call Trace:
[ 4871.046454] dump_stack+0x91/0xeb
[ 4871.046458] print_address_description+0x6a/0x2a0
[ 4871.046461] kasan_report+0x176/0x2d0
[ 4871.046463] ? bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046466] bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046470] process_one_work+0x216/0x5b0
[ 4871.046471] ? process_one_work+0x189/0x5b0
[ 4871.046475] worker_thread+0x4e/0x3d0
[ 4871.046479] kthread+0x10e/0x140
[ 4871.046480] ? process_one_work+0x5b0/0x5b0
[ 4871.046482] ? kthread_stop+0x220/0x220
[ 4871.046486] ret_from_fork+0x3a/0x50
[ 4871.046492] The buggy address belongs to the page:
[ 4871.046494] page:ffffea003ea10180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 4871.046495] flags: 0x57ffffc0000000()
[ 4871.046498] raw: 0057ffffc0000000 0000000000000000 ffffea003ea10188 0000000000000000
[ 4871.046500] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 4871.046501] page dumped because: kasan: bad access detected
Avoid accessing the device structure once it is freed.
Fixes: 497158aa5f52 ("RDMA/bnxt_re: Fix the ib_reg failure cleanup")
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'drivers/infiniband/hw/bnxt_re/main.c')
| -rw-r--r-- | drivers/infiniband/hw/bnxt_re/main.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c index bd5ded5809f5..77f095e5fbe3 100644 --- a/drivers/infiniband/hw/bnxt_re/main.c +++ b/drivers/infiniband/hw/bnxt_re/main.c @@ -1467,6 +1467,7 @@ static void bnxt_re_task(struct work_struct *work) "Failed to register with IB: %#x", rc); bnxt_re_remove_one(rdev); bnxt_re_dev_unreg(rdev); + goto exit; } break; case NETDEV_UP: @@ -1490,6 +1491,7 @@ static void bnxt_re_task(struct work_struct *work) } smp_mb__before_atomic(); atomic_dec(&rdev->sched_count); +exit: kfree(re_work); } |