From patchwork Fri May 19 04:44:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selvin Xavier X-Patchwork-Id: 9735845 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 85A29601A1 for ; Fri, 19 May 2017 04:45:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73ED22861B for ; Fri, 19 May 2017 04:45:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 68D6C288CA; Fri, 19 May 2017 04:45:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 15CE22861B for ; Fri, 19 May 2017 04:45:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751105AbdESEp3 (ORCPT ); Fri, 19 May 2017 00:45:29 -0400 Received: from mail-wm0-f53.google.com ([74.125.82.53]:37158 "EHLO mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751049AbdESEp2 (ORCPT ); Fri, 19 May 2017 00:45:28 -0400 Received: by mail-wm0-f53.google.com with SMTP id d127so73490267wmf.0 for ; Thu, 18 May 2017 21:45:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=B3Xy4J/SBnY1enqYg/c7HQ948+xtNr3LXeF4EcfQf6k=; b=N1Lw4+FjNgLL/QGp13KthPPDEnPEax8Otfki3mh5DgSgNLXYjbntZbzwtJsLfjVgi8 gpC9V9kQP5lWAQ9QEKmr1kMiApSqhCPYQPYHLxhIbxxB41pmv3iA23Wb+A3op9+gnBid COybNlj0eQUVz7mwryMk6bi2O/Y0WCv2HZvm4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=B3Xy4J/SBnY1enqYg/c7HQ948+xtNr3LXeF4EcfQf6k=; b=SRAz+T0oiXWxNshQOCM2uLZK/t4qlFoRf6tbX6LHkoD925uwf0jLyoIZgMlYa11gac XqThuaRlb6qrY2wDSAp45GbFWxmldxTMGhxuJnJET5CR0uf6Y9ahPdzBYnwUAKWNskBS HjSMlGMoLHcqYWOmXAT/GYbVxyqxcdpANSk/+YWfcfr7LDnY+VCDcvupfrsmLkjZIWKe 8Faj6mK3H77DGSS9jkKeKpzYH4nqLD6APXl4fkWvSRTTanmZpZ09KkwvYD4m2uGD+6tN LGPlHKstvHNFBrGasUDDt+ph4Rk2fHEZEiOOt3BG012ahVH6lxS6GmdBq25/kJOJcL5I KqPg== X-Gm-Message-State: AODbwcCbb7fNiDUuLiDXFzmAxtVYZuX/oYtI9Bq1QTRjAA8UeAkPjM7z LCJERVbyE64CN6tv X-Received: by 10.28.168.201 with SMTP id r192mr5106671wme.43.1495169126964; Thu, 18 May 2017 21:45:26 -0700 (PDT) Received: from dhcp-10-192-206-197.iig.avagotech.net ([192.19.239.250]) by smtp.gmail.com with ESMTPSA id p107sm1202508wrb.64.2017.05.18.21.45.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 May 2017 21:45:26 -0700 (PDT) From: Selvin Xavier To: dledford@redhat.com Cc: linux-rdma@vger.kernel.org, Selvin Xavier , Kalesh AP Subject: [PATCH V3 for-next 09/15] RDMA/bnxt_re: Do not free the ctx_tbl entry if delete GID fails Date: Thu, 18 May 2017 21:44:28 -0700 Message-Id: <1495169074-12641-10-git-send-email-selvin.xavier@broadcom.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1495169074-12641-1-git-send-email-selvin.xavier@broadcom.com> References: <1495169074-12641-1-git-send-email-selvin.xavier@broadcom.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This fix is added only to avoid system crash in some a specific scenario. When bnxt_re driver is loaded and if user tries to change interface mac address, delete GID fails because QP1 is still associated with existing MAC (default GID). If the above command fails GID tables are not modified in the h/w or driver, but the GID context memory is freed. Now, if the user changes the mac back to the original value, another add_gid comes to the driver where the driver reports that the GID is already present in its table and tries to access the context which was already freed. So, in this case, in order to avoid NULL pointer de-reference, this patch removes the context memory free if delete_gid fails and the same context memory is re-used in new add_gid. Memory cleanup will be taken care during driver unload, while deleting the GID table. Signed-off-by: Kalesh AP Signed-off-by: Selvin Xavier --- v1 -> v2 : Adds the bug description in commit message drivers/infiniband/hw/bnxt_re/ib_verbs.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index 6ec3ab2..43f7d66 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -375,15 +375,17 @@ int bnxt_re_del_gid(struct ib_device *ibdev, u8 port_num, return -EINVAL; ctx->refcnt--; if (!ctx->refcnt) { - rc = bnxt_qplib_del_sgid - (sgid_tbl, - &sgid_tbl->tbl[ctx->idx], true); - if (rc) + rc = bnxt_qplib_del_sgid(sgid_tbl, + &sgid_tbl->tbl[ctx->idx], + true); + if (rc) { dev_err(rdev_to_dev(rdev), "Failed to remove GID: %#x", rc); - ctx_tbl = sgid_tbl->ctx; - ctx_tbl[ctx->idx] = NULL; - kfree(ctx); + } else { + ctx_tbl = sgid_tbl->ctx; + ctx_tbl[ctx->idx] = NULL; + kfree(ctx); + } } } else { return -EINVAL;