From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6BC1C43381 for ; Mon, 1 Apr 2019 12:25:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7A92620870 for ; Mon, 1 Apr 2019 12:25:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726565AbfDAMZM (ORCPT ); Mon, 1 Apr 2019 08:25:12 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:57571 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725882AbfDAMZM (ORCPT ); Mon, 1 Apr 2019 08:25:12 -0400 Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Mon, 01 Apr 2019 14:25:11 +0200 Received: from linux-6qg8.suse.asia (nwb-a10-snat.microfocus.com [10.120.13.202]) by emea4-mta.ukb.novell.com with ESMTP (NOT encrypted); Mon, 01 Apr 2019 13:24:39 +0100 From: Firo Yang To: sathya.perla@broadcom.com, ajit.khaparde@broadcom.com, sriharsha.basavapatna@broadcom.com, somnath.kotur@broadcom.com, davem@davemloft.net Cc: netdev@vger.kernel.org, firogm@gmail.com, Firo Yang Subject: [PATCH 1/1] be2net: Detach interface for avoiding a system crash Date: Mon, 1 Apr 2019 20:24:21 +0800 Message-Id: <20190401122421.30116-1-fyang@suse.com> X-Mailer: git-send-email 2.16.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This crash is triggered by a user-after-free since lake of the synchronization of a race condition between be_update_queues() modifying multi-purpose channels of network device and be_tx_timeout(). BUG: unable to handle kernel NULL pointer dereference at (null) Call Trace: be_tx_timeout+0xa5/0x360 [be2net] dev_watchdog+0x1d8/0x210 call_timer_fn+0x32/0x140 To fix it, detach the interface before modifying multi-purpose channels of network device. Signed-off-by: Firo Yang --- drivers/net/ethernet/emulex/benet/be_main.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c index d5026909dec5..25d0128bf684 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -4705,6 +4705,8 @@ int be_update_queues(struct be_adapter *adapter) struct net_device *netdev = adapter->netdev; int status; + netif_device_detach(netdev); + if (netif_running(netdev)) be_close(netdev); @@ -4719,21 +4721,21 @@ int be_update_queues(struct be_adapter *adapter) be_clear_queues(adapter); status = be_cmd_if_destroy(adapter, adapter->if_handle, 0); if (status) - return status; + goto out; if (!msix_enabled(adapter)) { status = be_msix_enable(adapter); if (status) - return status; + goto out; } status = be_if_create(adapter); if (status) - return status; + goto out; status = be_setup_queues(adapter); if (status) - return status; + goto out; be_schedule_worker(adapter); @@ -4748,6 +4750,8 @@ int be_update_queues(struct be_adapter *adapter) if (netif_running(netdev)) status = be_open(netdev); +out: + netif_device_attach(netdev); return status; } -- 2.16.4