Author: hselasky Date: Tue Jul 17 09:16:54 2018 New Revision: 336376 URL: https://svnweb.freebsd.org/changeset/base/336376
Log: Fix NULL pointer dereference during device removal in ibcore. As part of ib_uverbs_remove_one which might be triggered upon reset flow, we trigger IB_EVENT_DEVICE_FATAL event to userspace application. If device was removed after uverbs fd was opened but before ib_uverbs_get_context was called, the event file will be accessed before it was allocated, result in NULL pointer dereference: Linux commit: 870201f95fcbd19538aef630393fe9d583eff82e MFC after: 1 week Sponsored by: Mellanox Technologies Modified: head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c Modified: head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c ============================================================================== --- head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c Tue Jul 17 09:15:50 2018 (r336375) +++ head/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c Tue Jul 17 09:16:54 2018 (r336376) @@ -1274,7 +1274,6 @@ static void ib_uverbs_free_hw_resources(struct ib_uver kref_get(&file->ref); mutex_unlock(&uverbs_dev->lists_mutex); - ib_uverbs_event_handler(&file->event_handler, &event); mutex_lock(&file->cleanup_mutex); ucontext = file->ucontext; @@ -1291,6 +1290,7 @@ static void ib_uverbs_free_hw_resources(struct ib_uver * for example due to freeing the resources * (e.g mmput). */ + ib_uverbs_event_handler(&file->event_handler, &event); ib_dev->disassociate_ucontext(ucontext); ib_uverbs_cleanup_ucontext(file, ucontext); } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"