From: Simon Horman <horms@kernel.org>
To: Joshua Hay <joshua.a.hay@intel.com>
Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
Przemek Kitszel <przemyslaw.kitszel@intel.com>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Subject: Re: [Intel-wired-lan] [PATCH iwl-net] idpf: clear stale cdev_info ptr
Date: Thu, 5 Mar 2026 09:30:51 +0000 [thread overview]
Message-ID: <20260305093051.GB90938@kernel.org> (raw)
In-Reply-To: <20260303012831.662492-1-joshua.a.hay@intel.com>
On Mon, Mar 02, 2026 at 05:28:31PM -0800, Joshua Hay wrote:
> Deinit calls idpf_idc_deinit_core_aux_device to free the cdev_info
> memory, but leaves the adapter->cdev_info field with a stale pointer
> value. This will bypass subsequent "if (!cdev_info)" checks if cdev_info
> is not reallocated. For example, if idc_init fails after a reset,
> cdev_info will already have been freed during the reset handling, but it
> will not have been reallocated. The next reset or rmmod will result in a
> crash.
>
> [ +0.000008] BUG: kernel NULL pointer dereference, address: 00000000000000d0
> [ +0.000033] #PF: supervisor read access in kernel mode
> [ +0.000020] #PF: error_code(0x0000) - not-present page
> [ +0.000017] PGD 2097dfa067 P4D 0
> [ +0.000017] Oops: Oops: 0000 [#1] SMP NOPTI
> ...
> [ +0.000018] RIP: 0010:device_del+0x3e/0x3d0
> [ +0.000010] Call Trace:
> [ +0.000010] <TASK>
> [ +0.000012] idpf_idc_deinit_core_aux_device+0x36/0x70 [idpf]
> [ +0.000034] idpf_vc_core_deinit+0x3e/0x180 [idpf]
> [ +0.000035] idpf_remove+0x40/0x1d0 [idpf]
> [ +0.000035] pci_device_remove+0x42/0xb0
> [ +0.000020] device_release_driver_internal+0x19c/0x200
> [ +0.000024] driver_detach+0x48/0x90
> [ +0.000018] bus_remove_driver+0x6d/0x100
> [ +0.000023] pci_unregister_driver+0x2e/0xb0
> [ +0.000022] __do_sys_delete_module.isra.0+0x18c/0x2b0
> [ +0.000025] ? kmem_cache_free+0x2c2/0x390
> [ +0.000023] do_syscall_64+0x107/0x7d0
> [ +0.000023] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Pass the adapter struct into idpf_idc_deinit_core_aux_device instead and
> clear the cdev_info ptr.
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2026-03-05 9:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 1:28 [Intel-wired-lan] [PATCH iwl-net] idpf: clear stale cdev_info ptr Joshua Hay
2026-03-05 9:30 ` Simon Horman [this message]
2026-03-19 16:08 ` Salin, Samuel
2026-03-19 16:08 ` Salin, Samuel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260305093051.GB90938@kernel.org \
--to=horms@kernel.org \
--cc=aleksandr.loktionov@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=joshua.a.hay@intel.com \
--cc=netdev@vger.kernel.org \
--cc=przemyslaw.kitszel@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.