Date: Fri, 30 Mar 2018 19:50:45 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r331825 - head/sys/dev/mlx5/mlx5_core Message-ID: <201803301950.w2UJojYe016179@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Fri Mar 30 19:50:45 2018 New Revision: 331825 URL: https://svnweb.freebsd.org/changeset/base/331825 Log: Fix for use after free in mlx5core. Make sure the command completion handler is not called when the device is in internal error state. This can easily trigger use after free situations. MFC after: 3 days Sponsored by: Mellanox Technologies Modified: head/sys/dev/mlx5/mlx5_core/mlx5_eq.c Modified: head/sys/dev/mlx5/mlx5_core/mlx5_eq.c ============================================================================== --- head/sys/dev/mlx5/mlx5_core/mlx5_eq.c Fri Mar 30 19:49:35 2018 (r331824) +++ head/sys/dev/mlx5/mlx5_core/mlx5_eq.c Fri Mar 30 19:50:45 2018 (r331825) @@ -254,7 +254,8 @@ static int mlx5_eq_int(struct mlx5_core_dev *dev, stru break; case MLX5_EVENT_TYPE_CMD: - mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector)); + if (dev->state != MLX5_DEVICE_STATE_INTERNAL_ERROR) + mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector)); break; case MLX5_EVENT_TYPE_PORT_CHANGE:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803301950.w2UJojYe016179>