From: Ferruh Yigit <ferruh.yigit@amd.com>
To: Roger B Melton <rmelton@cisco.com>,
Jochen Behrens <jochen.behrens@broadcom.com>
Cc: dev@dpdk.org
Subject: Re: [PATCH] net/vmxnet3: Fix vmxnet3 NULL pointer deref after configuration failure
Date: Wed, 30 Oct 2024 03:15:28 +0000 [thread overview]
Message-ID: <dbbc22ae-aa80-44f3-8178-ebe140a1d540@amd.com> (raw)
In-Reply-To: <20241026143336.2099168-1-rmelton@cisco.com>
On 10/26/2024 3:33 PM, Roger B Melton wrote:
> Problem:
>
> If vxmnet3_dev_configure() fails, applications may call
> vmxnet3_dev_close(). If the failure occurs before the vmxnet3
> hw->shared structure is allocated the close will lead to a segv.
>
> Root Cause:
>
> This crash is due to incorrect adapter_stopped state in the
> vmxnet3 dev_private structure. When dev_private is allocated,
> adapter_stopped will be 0 (FALSE). eth_vmxnet3_dev_init() does not
> set it to TRUE, so it will remain FALSE until a successful
> vmxnet3_dev_start() followed by a vmxnet3_dev_stop(). When
> vmxnet3_dev_close() is called, it will invoke vmxnet3_dev_stop().
> vmxnet3_dev_stop() will check the adapter_stopped state in the
> vmxnet3 shared data, find it is FALSE and will proceed to stop the
> device, calling vmxnet3_disable_all_intrs().
> vmxnet3_disable_all_intrs() attempts to access the vmxnet3 shared data
> resulting in the segv.
>
> Solution:
>
> Set adapter_stopped to TRUE in eth_vmxnet3_dev_init(), to prevent stop
> processing.
>
> Signed-off-by: Roger B Melton <rmelton@cisco.com>
> ---
> drivers/net/vmxnet3/vmxnet3_ethdev.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/vmxnet3/vmxnet3_ethdev.c b/drivers/net/vmxnet3/vmxnet3_ethdev.c
> index 467fb61137..8d7f95a753 100644
> --- a/drivers/net/vmxnet3/vmxnet3_ethdev.c
> +++ b/drivers/net/vmxnet3/vmxnet3_ethdev.c
> @@ -403,6 +403,7 @@ eth_vmxnet3_dev_init(struct rte_eth_dev *eth_dev)
> /* Vendor and Device ID need to be set before init of shared code */
> hw->device_id = pci_dev->id.device_id;
> hw->vendor_id = pci_dev->id.vendor_id;
> + hw->adapter_stopped = TRUE;
> hw->hw_addr0 = (void *)pci_dev->mem_resource[0].addr;
> hw->hw_addr1 = (void *)pci_dev->mem_resource[1].addr;
>
Hi Roger,
Can you please provide fixes tag?
next prev parent reply other threads:[~2024-10-30 3:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-26 14:33 [PATCH] net/vmxnet3: Fix vmxnet3 NULL pointer deref after configuration failure Roger B Melton
2024-10-27 8:43 ` Morten Brørup
2024-10-31 5:38 ` Ferruh Yigit
2024-10-30 3:15 ` Ferruh Yigit [this message]
2024-10-30 20:27 ` Roger Melton (rmelton)
2024-10-31 0:08 ` Roger Melton (rmelton)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dbbc22ae-aa80-44f3-8178-ebe140a1d540@amd.com \
--to=ferruh.yigit@amd.com \
--cc=dev@dpdk.org \
--cc=jochen.behrens@broadcom.com \
--cc=rmelton@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.