Null pointer check is missing in addr_resolve as
dev_get_by_index may return a NULL pointer.
And this patch will check whether ndev is NULL
and further access the same .
We observed the issue where the sytem crashed in the below code
if (ndev->flags & IFF_LOOPBACK)
{
ret = rdma_translate_ip (dst_in, addr, NULL);
/*
* Put the loopback device and get the translated
* device instead.
*/
dev_put (ndev);
ndev = dev_get_by_index (addr->net, addr->bound_dev_if);
/*Bug: dev_get_by_index returns null*/
}
else
{
addr->bound_dev_if = ndev->ifindex;
}
dev_put (ndev) <== system crashed
And below is the crash
[ 146.173149] BUG: unable to handle kernel NULL pointer dereference at
00000000000004a0
[ 146.173198] IP: addr_resolve+0x9e/0x3e0 [ib_core]
[ 146.173221] PGD 0 P4D 0
[ 146.173869] Oops: 0000 [#1] SMP PTI
[ 146.182859] CPU: 8 PID: 127 Comm: kworker/8:1 Tainted: G O
4.15.0-rc6+ #18
[ 146.183758] Hardware name: LENOVO System x3650 M5: -[8871AC1]-/01KN179,
BIOS-[TCE132H-2.50]- 10/11/2017
[ 146.184691] Workqueue: ib_cm cm_work_handler [ib_cm]
[ 146.185632] RIP: 0010:addr_resolve+0x9e/0x3e0 [ib_core]
[ 146.186584] RSP: 0018:ffffc9000362faa0 EFLAGS: 00010246
[ 146.187521] RAX: 000000000000001b RBX: ffffc9000362fc08 RCX:
0000000000000006
[ 146.188472] RDX: 0000000000000000 RSI: 0000000000000096 RDI:
ffff88087fc16990
[ 146.189427] RBP: ffffc9000362fb18 R08: 00000000ffffff9d R09:
00000000000004ac
[ 146.190392] R10: 00000000000001e7 R11: 0000000000000001 R12:
ffff88086af2e090
[ 146.191361] R13: 0000000000000000 R14: 0000000000000001 R15:
00000000ffffff9d
[ 146.192327] FS: 0000000000000000(0000) GS:ffff88087fc00000(0000)
knlGS:0000000000000000
[ 146.193301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 146.194274] CR2: 00000000000004a0 CR3: 000000000220a002 CR4:
00000000003606e0
[ 146.195258] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 146.196256] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 146.197231] Call Trace:
[ 146.198209] ? rdma_addr_register_client+0x30/0x30 [ib_core]
[ 146.199199] rdma_resolve_ip+0x1af/0x280 [ib_core]
[ 146.200196] rdma_addr_find_l2_eth_by_grh+0x154/0x2b0 [ib_core]
Signed-off-by: Muneendra <muneendra.kumar@xxxxxxxxxxxx>
---
drivers/infiniband/core/addr.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/core/addr.c
b/drivers/infiniband/core/addr.c
index a5b4cf0..d61ed45 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -523,7 +523,8 @@ static int addr_resolve(struct sockaddr *src_in,
ndev = dev_get_by_index(addr->net,
addr->bound_dev_if);
} else {
ndev = rt->dst.dev;
- dev_hold(ndev);
+ if (ndev)
+ dev_hold(ndev);
}
ip_rt_put(rt);
@@ -544,7 +545,8 @@ static int addr_resolve(struct sockaddr *src_in,
ndev = dev_get_by_index(addr->net,
addr->bound_dev_if);
} else {
ndev = dst->dev;
- dev_hold(ndev);
+ if (ndev)
+ dev_hold(ndev);
}
dst_release(dst);
@@ -556,12 +558,15 @@ static int addr_resolve(struct sockaddr *src_in,
* Put the loopback device and get the translated
* device instead.
*/
- dev_put(ndev);
+ if (ndev)
+ dev_put(ndev);
ndev = dev_get_by_index(addr->net, addr->bound_dev_if);
} else {
addr->bound_dev_if = ndev->ifindex;
}
- dev_put(ndev);
+ /*The ndev could be null */
+ if (ndev)
+ dev_put(ndev);
return ret;
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
