A failing call to ib_device_set_netdev() during device creation
caused system crash due to xa_destroy of uninitialized xarray
hit by device deallocation. Fixed by moving xarray initialization
before potential device deallocation.
Fixes also correct propagation of ib_device_set_netdev() failure
to caller.
Reported-by: syzbot+2e80962bedd9559fe0b3@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Bernard Metzler <bmt@xxxxxxxxxxxxxx>
---
drivers/infiniband/sw/siw/siw_main.c | 39 ++++++++++++++--------------
1 file changed, 20 insertions(+), 19 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c
index 96ed349c0939..839decfd9032 100644
--- a/drivers/infiniband/sw/siw/siw_main.c
+++ b/drivers/infiniband/sw/siw/siw_main.c
@@ -303,7 +303,7 @@ static const struct ib_device_ops siw_device_ops = {
static struct siw_device *siw_device_create(struct net_device *netdev)
{
- struct siw_device *sdev = NULL;
+ struct siw_device *sdev;
struct ib_device *base_dev;
struct device *parent = netdev->dev.parent;
int rv;
@@ -319,13 +319,13 @@ static struct siw_device *siw_device_create(struct net_device *netdev)
if (netdev->type != ARPHRD_LOOPBACK) {
pr_warn("siw: device %s error: no parent device\n",
netdev->name);
- return NULL;
+ return ERR_PTR(-EINVAL);
}
parent = &netdev->dev;
}
sdev = ib_alloc_device(siw_device, base_dev);
if (!sdev)
- return NULL;
+ return ERR_PTR(-ENOMEM);
base_dev = &sdev->base_dev;
@@ -388,6 +388,9 @@ static struct siw_device *siw_device_create(struct net_device *netdev)
{ .max_segment_size = SZ_2G };
base_dev->num_comp_vectors = num_possible_cpus();
+ xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1);
+ xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1);
+
ib_set_device_ops(base_dev, &siw_device_ops);
rv = ib_device_set_netdev(base_dev, netdev, 1);
if (rv)
@@ -415,9 +418,6 @@ static struct siw_device *siw_device_create(struct net_device *netdev)
sdev->attrs.max_srq_wr = SIW_MAX_SRQ_WR;
sdev->attrs.max_srq_sge = SIW_MAX_SGE;
- xa_init_flags(&sdev->qp_xa, XA_FLAGS_ALLOC1);
- xa_init_flags(&sdev->mem_xa, XA_FLAGS_ALLOC1);
-
INIT_LIST_HEAD(&sdev->cep_list);
INIT_LIST_HEAD(&sdev->qp_list);
@@ -435,7 +435,7 @@ static struct siw_device *siw_device_create(struct net_device *netdev)
error:
ib_dealloc_device(base_dev);
- return NULL;
+ return ERR_PTR(rv);
}
/*
@@ -542,8 +542,8 @@ static struct notifier_block siw_netdev_nb = {
static int siw_newlink(const char *basedev_name, struct net_device *netdev)
{
struct ib_device *base_dev;
- struct siw_device *sdev = NULL;
- int rv = -ENOMEM;
+ struct siw_device *sdev;
+ int rv;
if (!siw_dev_qualified(netdev))
return -EINVAL;
@@ -554,18 +554,19 @@ static int siw_newlink(const char *basedev_name, struct net_device *netdev)
return -EEXIST;
}
sdev = siw_device_create(netdev);
- if (sdev) {
- dev_dbg(&netdev->dev, "siw: new device\n");
+ if (IS_ERR(sdev))
+ return PTR_ERR(sdev);
- if (netif_running(netdev) && netif_carrier_ok(netdev))
- sdev->state = IB_PORT_ACTIVE;
- else
- sdev->state = IB_PORT_DOWN;
+ dev_dbg(&netdev->dev, "siw: new device\n");
- rv = siw_device_register(sdev, basedev_name);
- if (rv)
- ib_dealloc_device(&sdev->base_dev);
- }
+ if (netif_running(netdev) && netif_carrier_ok(netdev))
+ sdev->state = IB_PORT_ACTIVE;
+ else
+ sdev->state = IB_PORT_DOWN;
+
+ rv = siw_device_register(sdev, basedev_name);
+ if (rv)
+ ib_dealloc_device(&sdev->base_dev);
return rv;
}
--
2.17.2
