From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A15DECAAA1 for ; Thu, 27 Oct 2022 17:06:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236992AbiJ0RGG (ORCPT ); Thu, 27 Oct 2022 13:06:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236975AbiJ0RGA (ORCPT ); Thu, 27 Oct 2022 13:06:00 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 219F25A82B for ; Thu, 27 Oct 2022 10:06:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B2783623F4 for ; Thu, 27 Oct 2022 17:05:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6416C433D6; Thu, 27 Oct 2022 17:05:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666890359; bh=NBhOUHrH7xKpVUuO3SWOcpekq6A71VXdGMgM5bI7k9U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DiVB2uhY+aoH9fWZpwlfVgwh53LuyIqiLGvikiVjJoWPmHZiDhMqKMAeK4jpGgqrJ xRqlSzEXk6mXfWmTYz4XbPRiRi6FZKRsFMVcEHSLRBTEAes1PVfRCH9viyWDJqPmLv /9uEGzvwDO0CGeDcM23gZePmqO6TB9gNEvKJcEME= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Brett Creeley , Shannon Nelson , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.10 41/79] ionic: catch NULL pointer issue on reconfig Date: Thu, 27 Oct 2022 18:55:51 +0200 Message-Id: <20221027165055.751801678@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221027165054.270676357@linuxfoundation.org> References: <20221027165054.270676357@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Brett Creeley [ Upstream commit aa1d7e1267c12e07d979aa34c613716a89029db2 ] It's possible that the driver will dereference a qcq that doesn't exist when calling ionic_reconfigure_queues(), which causes a page fault BUG. If a reduction in the number of queues is followed by a different reconfig such as changing the ring size, the driver can hit a NULL pointer when trying to clean up non-existent queues. Fix this by checking to make sure both the qcqs array and qcq entry exists bofore trying to use and free the entry. Fixes: 101b40a0171f ("ionic: change queue count with no reset") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.io Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c index e42520f909fe..cb12d0171517 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c +++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c @@ -2383,11 +2383,15 @@ int ionic_reconfigure_queues(struct ionic_lif *lif, * than the full array, but leave the qcq shells in place */ for (i = lif->nxqs; i < lif->ionic->ntxqs_per_lif; i++) { - lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR; - ionic_qcq_free(lif, lif->txqcqs[i]); + if (lif->txqcqs && lif->txqcqs[i]) { + lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR; + ionic_qcq_free(lif, lif->txqcqs[i]); + } - lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR; - ionic_qcq_free(lif, lif->rxqcqs[i]); + if (lif->rxqcqs && lif->rxqcqs[i]) { + lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR; + ionic_qcq_free(lif, lif->rxqcqs[i]); + } } return err; -- 2.35.1