From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 085/123] net: thunderx: fix NULL pointer dereference in nic_remove
Date: Wed, 5 Dec 2018 04:35:17 -0500 [thread overview]
Message-ID: <20181205093555.5386-85-sashal@kernel.org> (raw)
In-Reply-To: <20181205093555.5386-1-sashal@kernel.org>
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ]
Fix a possible NULL pointer dereference in nic_remove routine
removing the nicpf module if nic_probe fails.
The issue can be triggered with the following reproducer:
$rmmod nicvf
$rmmod nicpf
[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
[ 521.422777] Mem abort info:
[ 521.425561] ESR = 0x96000004
[ 521.428624] Exception class = DABT (current EL), IL = 32 bits
[ 521.434535] SET = 0, FnV = 0
[ 521.437579] EA = 0, S1PTW = 0
[ 521.440730] Data abort info:
[ 521.443603] ISV = 0, ISS = 0x00000004
[ 521.447431] CM = 0, WnR = 0
[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
[ 521.457022] [0000000000000014] pgd=0000000000000000
[ 521.461916] Internal error: Oops: 96000004 [#1] SMP
[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf]
[ 521.527808] lr : pci_device_remove+0x48/0xd8
[ 521.532066] sp : ffff000013433cc0
[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
[ 521.540672] x27: 0000000000000000 x26: 0000000000000000
[ 521.545974] x25: 0000000056000000 x24: 0000000000000015
[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
[ 521.561877] x19: 0000000000000000 x18: 0000000000000025
[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001
[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003
[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
[ 521.621490] Call trace:
[ 521.623928] nic_remove+0x24/0x88 [nicpf]
[ 521.627927] pci_device_remove+0x48/0xd8
[ 521.631847] device_release_driver_internal+0x1b0/0x248
[ 521.637062] driver_detach+0x50/0xc0
[ 521.640628] bus_remove_driver+0x60/0x100
[ 521.644627] driver_unregister+0x34/0x60
[ 521.648538] pci_unregister_driver+0x24/0xd8
[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf]
[ 521.657672] __arm64_sys_delete_module+0x150/0x218
[ 521.662460] el0_svc_handler+0x94/0x110
[ 521.666287] el0_svc+0x8/0xc
[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c
index 55af04fa03a7..6c8dcb65ff03 100644
--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
@@ -1441,6 +1441,9 @@ static void nic_remove(struct pci_dev *pdev)
{
struct nicpf *nic = pci_get_drvdata(pdev);
+ if (!nic)
+ return;
+
if (nic->flags & NIC_SRIOV_ENABLED)
pci_disable_sriov(pdev);
--
2.17.1
next prev parent reply other threads:[~2018-12-05 9:35 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20181205093555.5386-1-sashal@kernel.org>
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 013/123] tools: bpftool: prevent infinite loop in get_fdinfo() Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 017/123] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 018/123] netfilter: nf_conncount: fix list_del corruption in conn_free Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 019/123] netfilter: nf_conncount: fix unexpected permanent node of list Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 020/123] netfilter: nf_tables: don't skip inactive chains during update Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 023/123] netfilter: xt_RATEEST: remove netns exit routine Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 024/123] netfilter: nf_tables: fix use-after-free when deleting compat expressions Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 040/123] bpf: allocate local storage buffers using GFP_ATOMIC Sasha Levin
2018-12-07 6:40 ` Naresh Kamboju
2018-12-07 6:55 ` Naresh Kamboju
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 042/123] netfilter: xt_hashlimit: fix a possible memory leak in htable_create() Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 058/123] tools: bpftool: fix potential NULL pointer dereference in do_load Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 065/123] bpf: fix check of allowed specifiers in bpf_trace_printk Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 067/123] ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 075/123] netfilter: ipv6: Preserve link scope traffic original oif Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 077/123] netfilter: add missing error handling code for register functions Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 078/123] netfilter: nat: fix double register in masquerade modules Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 079/123] netfilter: nf_conncount: remove wrong condition check routine Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 083/123] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 084/123] net: phy: add workaround for issue where PHY driver doesn't bind to the device Sasha Levin
2018-12-05 9:35 ` Sasha Levin [this message]
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 086/123] lan743x: fix return value for lan743x_tx_napi_poll Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 087/123] lan743x: Enable driver to work with LAN7431 Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 089/123] netfilter: nf_tables: deactivate expressions in rule replecement routine Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 094/123] igb: fix uninitialized variables Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 095/123] ixgbe: recognize 1000BaseLX SFP modules as 1Gbps Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 096/123] rapidio/rionet: do not free skb before reading its length Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 097/123] net: hisilicon: remove unexpected free_netdev Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181205093555.5386-85-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).