Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Aug 2018 08:20:11 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r337082 - stable/11/sys/ofed/drivers/infiniband/core
Message-ID:  <201808020820.w728KB0B039910@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: hselasky
Date: Thu Aug  2 08:20:11 2018
New Revision: 337082
URL: https://svnweb.freebsd.org/changeset/base/337082

Log:
  MFC r336376:
  Fix NULL pointer dereference during device removal in ibcore.
  
  As part of ib_uverbs_remove_one which might be triggered upon
  reset flow, we trigger IB_EVENT_DEVICE_FATAL event to userspace
  application.
  If device was removed after uverbs fd was opened but before
  ib_uverbs_get_context was called, the event file will be accessed
  before it was allocated, result in NULL pointer dereference:
  
  Linux commit:
  870201f95fcbd19538aef630393fe9d583eff82e
  
  Sponsored by:		Mellanox Technologies

Modified:
  stable/11/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
==============================================================================
--- stable/11/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c	Thu Aug  2 08:19:08 2018	(r337081)
+++ stable/11/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c	Thu Aug  2 08:20:11 2018	(r337082)
@@ -1274,7 +1274,6 @@ static void ib_uverbs_free_hw_resources(struct ib_uver
 		kref_get(&file->ref);
 		mutex_unlock(&uverbs_dev->lists_mutex);
 
-		ib_uverbs_event_handler(&file->event_handler, &event);
 
 		mutex_lock(&file->cleanup_mutex);
 		ucontext = file->ucontext;
@@ -1291,6 +1290,7 @@ static void ib_uverbs_free_hw_resources(struct ib_uver
 			 * for example due to freeing the resources
 			 * (e.g mmput).
 			 */
+			ib_uverbs_event_handler(&file->event_handler, &event);
 			ib_dev->disassociate_ucontext(ucontext);
 			ib_uverbs_cleanup_ucontext(file, ucontext);
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808020820.w728KB0B039910>