Patch "ionic: catch NULL pointer issue on reconfig" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 26 Oct 2022 21:54:17 -0400

This is a note to let you know that I've just added the patch titled

    ionic: catch NULL pointer issue on reconfig

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ionic-catch-null-pointer-issue-on-reconfig.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 80770d513ebb3eba4958bc0eeb817f3dae31de82
Author: Brett Creeley <brett@xxxxxxxxxxx>
Date:   Mon Oct 17 16:31:23 2022 -0700

    ionic: catch NULL pointer issue on reconfig
    
    [ Upstream commit aa1d7e1267c12e07d979aa34c613716a89029db2 ]
    
    It's possible that the driver will dereference a qcq that doesn't exist
    when calling ionic_reconfigure_queues(), which causes a page fault BUG.
    
    If a reduction in the number of queues is followed by a different
    reconfig such as changing the ring size, the driver can hit a NULL
    pointer when trying to clean up non-existent queues.
    
    Fix this by checking to make sure both the qcqs array and qcq entry
    exists bofore trying to use and free the entry.
    
    Fixes: 101b40a0171f ("ionic: change queue count with no reset")
    Signed-off-by: Brett Creeley <brett@xxxxxxxxxxx>
    Signed-off-by: Shannon Nelson <snelson@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@xxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index e42520f909fe..cb12d0171517 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -2383,11 +2383,15 @@ int ionic_reconfigure_queues(struct ionic_lif *lif,
 	 * than the full array, but leave the qcq shells in place
 	 */
 	for (i = lif->nxqs; i < lif->ionic->ntxqs_per_lif; i++) {
-		lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
-		ionic_qcq_free(lif, lif->txqcqs[i]);
+		if (lif->txqcqs && lif->txqcqs[i]) {
+			lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
+			ionic_qcq_free(lif, lif->txqcqs[i]);
+		}
 
-		lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
-		ionic_qcq_free(lif, lif->rxqcqs[i]);
+		if (lif->rxqcqs && lif->rxqcqs[i]) {
+			lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
+			ionic_qcq_free(lif, lif->rxqcqs[i]);
+		}
 	}
 
 	return err;






