From: <sameehj@amazon.com>
To: <davem@davemloft.net>, <netdev@vger.kernel.org>
Cc: Arthur Kiyanovski <akiyano@amazon.com>, <dwmw@amazon.com>,
<zorik@amazon.com>, <matua@amazon.com>, <saeedb@amazon.com>,
<msw@amazon.com>, <aliguori@amazon.com>, <nafea@amazon.com>,
<gtzalik@amazon.com>, <netanel@amazon.com>, <alisaidi@amazon.com>,
<benh@amazon.com>, <sameehj@amazon.com>, <ndagan@amazon.com>
Subject: [PATCH V2 net 12/12] net: ena: ena-com.c: prevent NULL pointer dereference
Date: Tue, 11 Feb 2020 15:17:51 +0000 [thread overview]
Message-ID: <20200211151751.29718-13-sameehj@amazon.com> (raw)
In-Reply-To: <20200211151751.29718-1-sameehj@amazon.com>
From: Arthur Kiyanovski <akiyano@amazon.com>
comp_ctx can be NULL in a very rare case when an admin command is executed
during the execution of ena_remove().
The bug scenario is as follows:
* ena_destroy_device() sets the comp_ctx to be NULL
* An admin command is executed before executing unregister_netdev(),
this can still happen because our device can still receive callbacks
from the netdev infrastructure such as ethtool commands.
* When attempting to access the comp_ctx, the bug occurs since it's set
to NULL
Fix:
Added a check that comp_ctx is not NULL
Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
---
drivers/net/ethernet/amazon/ena/ena_com.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index 0f93d1092..1fb58f9ad 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -200,6 +200,11 @@ static void comp_ctxt_release(struct ena_com_admin_queue *queue,
static struct ena_comp_ctx *get_comp_ctxt(struct ena_com_admin_queue *queue,
u16 command_id, bool capture)
{
+ if (unlikely(!queue->comp_ctx)) {
+ pr_err("Completion context is NULL\n");
+ return NULL;
+ }
+
if (unlikely(command_id >= queue->q_depth)) {
pr_err("command id is larger than the queue size. cmd_id: %u queue size %d\n",
command_id, queue->q_depth);
--
2.24.1.AMZN
next prev parent reply other threads:[~2020-02-11 15:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-11 15:17 [PATCH V2 net 00/12] Bug fixes for ENA Ethernet driver sameehj
2020-02-11 15:17 ` [PATCH V2 net 01/12] net: ena: fix potential crash when rxfh key is NULL sameehj
2020-02-11 15:17 ` [PATCH V2 net 02/12] net: ena: fix uses of round_jiffies() sameehj
2020-02-11 15:17 ` [PATCH V2 net 03/12] net: ena: add missing ethtool TX timestamping indication sameehj
2020-02-11 15:17 ` [PATCH V2 net 04/12] net: ena: fix incorrect default RSS key sameehj
2020-02-11 15:17 ` [PATCH V2 net 05/12] net: ena: rss: do not allocate key when not supported sameehj
2020-02-11 15:17 ` [PATCH V2 net 06/12] net: ena: rss: fix failure to get indirection table sameehj
2020-02-11 15:17 ` [PATCH V2 net 07/12] net: ena: rss: store hash function as values and not bits sameehj
2020-02-11 15:17 ` [PATCH V2 net 08/12] net: ena: fix incorrectly saving queue numbers when setting RSS indirection table sameehj
2020-02-11 15:17 ` [PATCH V2 net 09/12] net: ena: fix corruption of dev_idx_to_host_tbl sameehj
2020-02-11 15:17 ` [PATCH V2 net 10/12] net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE sameehj
2020-02-11 15:17 ` [PATCH V2 net 11/12] net: ena: ethtool: use correct value for crc32 hash sameehj
2020-02-11 15:17 ` sameehj [this message]
2020-02-12 1:10 ` [PATCH V2 net 00/12] Bug fixes for ENA Ethernet driver David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200211151751.29718-13-sameehj@amazon.com \
--to=sameehj@amazon.com \
--cc=akiyano@amazon.com \
--cc=aliguori@amazon.com \
--cc=alisaidi@amazon.com \
--cc=benh@amazon.com \
--cc=davem@davemloft.net \
--cc=dwmw@amazon.com \
--cc=gtzalik@amazon.com \
--cc=matua@amazon.com \
--cc=msw@amazon.com \
--cc=nafea@amazon.com \
--cc=ndagan@amazon.com \
--cc=netanel@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=saeedb@amazon.com \
--cc=zorik@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.