Author: hselasky
Date: Tue Jul 17 09:16:54 2018
New Revision: 336376
URL: https://svnweb.freebsd.org/changeset/base/336376
Log:
Fix NULL pointer dereference during device removal in ibcore.
As part of ib_uverbs_remove_one which might be triggered upon
reset flow, we trigger IB_EVENT_DEVICE_FATAL event to userspace
application.
If device was removed after uverbs fd was opened but before
ib_uverbs_get_context was called, the event file will be accessed
before it was allocated, result in NULL pointer dereference:
Linux commit:
870201f95fcbd19538aef630393fe9d583eff82e
MFC after: 1 week
Sponsored by: Mellanox Technologies
Modified:
head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
Modified: head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
==============================================================================
--- head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c Tue Jul 17
09:15:50 2018 (r336375)
+++ head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c Tue Jul 17
09:16:54 2018 (r336376)
@@ -1274,7 +1274,6 @@ static void ib_uverbs_free_hw_resources(struct ib_uver
kref_get(&file->ref);
mutex_unlock(&uverbs_dev->lists_mutex);
- ib_uverbs_event_handler(&file->event_handler, &event);
mutex_lock(&file->cleanup_mutex);
ucontext = file->ucontext;
@@ -1291,6 +1290,7 @@ static void ib_uverbs_free_hw_resources(struct ib_uver
* for example due to freeing the resources
* (e.g mmput).
*/
+ ib_uverbs_event_handler(&file->event_handler, &event);
ib_dev->disassociate_ucontext(ucontext);
ib_uverbs_cleanup_ucontext(file, ucontext);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
