linux/drivers/infiniband/hw/bnxt_re
Selvin Xavier a6c66d6a08 RDMA/bnxt_re: Avoid accessing the device structure after it is freed
When bnxt_re_ib_reg returns failure, the device structure gets
freed. Driver tries to access the device pointer
after it is freed.

[ 4871.034744] Failed to register with netedev: 0xffffffa1
[ 4871.034765] infiniband (null): Failed to register with IB: 0xffffffea
[ 4871.046430] ==================================================================
[ 4871.046437] BUG: KASAN: use-after-free in bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046439] Write of size 4 at addr ffff880fa8406f48 by task kworker/u48:2/17813

[ 4871.046443] CPU: 20 PID: 17813 Comm: kworker/u48:2 Kdump: loaded Tainted: G B OE  4.20.0-rc1+ #42
[ 4871.046444] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
[ 4871.046447] Workqueue: bnxt_re bnxt_re_task [bnxt_re]
[ 4871.046449] Call Trace:
[ 4871.046454]  dump_stack+0x91/0xeb
[ 4871.046458]  print_address_description+0x6a/0x2a0
[ 4871.046461]  kasan_report+0x176/0x2d0
[ 4871.046463]  ? bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046466]  bnxt_re_task+0x63/0x180 [bnxt_re]
[ 4871.046470]  process_one_work+0x216/0x5b0
[ 4871.046471]  ? process_one_work+0x189/0x5b0
[ 4871.046475]  worker_thread+0x4e/0x3d0
[ 4871.046479]  kthread+0x10e/0x140
[ 4871.046480]  ? process_one_work+0x5b0/0x5b0
[ 4871.046482]  ? kthread_stop+0x220/0x220
[ 4871.046486]  ret_from_fork+0x3a/0x50

[ 4871.046492] The buggy address belongs to the page:
[ 4871.046494] page:ffffea003ea10180 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 4871.046495] flags: 0x57ffffc0000000()
[ 4871.046498] raw: 0057ffffc0000000 0000000000000000 ffffea003ea10188 0000000000000000
[ 4871.046500] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 4871.046501] page dumped because: kasan: bad access detected

Avoid accessing the device structure once it is freed.

Fixes: 497158aa5f ("RDMA/bnxt_re: Fix the ib_reg failure cleanup")
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-11-21 14:12:21 -07:00
..
Kconfig bnxt_re: add MAY_USE_DEVLINK dependency 2017-07-29 14:17:48 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bnxt_re.h RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails 2018-10-16 00:03:51 -06:00
hw_counters.c RDMA/bnxt_re: Report out of sequence hw counters 2018-10-16 00:03:50 -06:00
hw_counters.h RDMA/bnxt_re: Report out of sequence hw counters 2018-10-16 00:03:50 -06:00
ib_verbs.c RDMA/bnxt_re: Add missing spin lock initialization 2018-10-16 00:03:50 -06:00
ib_verbs.h RDMA, core and ULPs: Declare ib_post_send() and ib_post_recv() arguments const 2018-07-30 20:09:34 -06:00
main.c RDMA/bnxt_re: Avoid accessing the device structure after it is freed 2018-11-21 14:12:21 -07:00
qplib_fp.c RDMA/bnxt_re: Avoid accessing nq->bar_reg_iomem in failure case 2018-10-16 00:03:50 -06:00
qplib_fp.h RDMA/bnxt_re: Fix broken RoCE driver due to recent L2 driver changes 2018-05-25 11:03:47 -06:00
qplib_rcfw.c RDMA/bnxt_re: Prevent driver crash due to NULL pointer in error message print 2018-10-16 00:03:50 -06:00
qplib_rcfw.h RDMA/bnxt_re: Report out of sequence hw counters 2018-10-16 00:03:50 -06:00
qplib_res.c RDMA/bnxt_re: QPLIB: Add and use #define dev_fmt(fmt) "QPLIB: " fmt 2018-09-05 15:35:20 -06:00
qplib_res.h bnxt_re: Make room for mapping beyond 32 entries 2017-10-18 10:24:13 -04:00
qplib_sp.c RDMA/bnxt_re: Limit max_pkey to 16 bit value 2018-10-16 00:03:51 -06:00
qplib_sp.h RDMA/bnxt_re: Report out of sequence hw counters 2018-10-16 00:03:50 -06:00
roce_hsi.h RDMA/bnxt_re: Report out of sequence hw counters 2018-10-16 00:03:50 -06:00