Date: Tue, 3 Apr 2018 09:31:30 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r331918 - stable/11/sys/dev/mlx5/mlx5_core Message-ID: <201804030931.w339VU2i047530@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Tue Apr 3 09:31:30 2018 New Revision: 331918 URL: https://svnweb.freebsd.org/changeset/base/331918 Log: MFC r331825: Fix for use after free in mlx5core. Make sure the command completion handler is not called when the device is in internal error state. This can easily trigger use after free situations. Sponsored by: Mellanox Technologies Modified: stable/11/sys/dev/mlx5/mlx5_core/mlx5_eq.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/mlx5/mlx5_core/mlx5_eq.c ============================================================================== --- stable/11/sys/dev/mlx5/mlx5_core/mlx5_eq.c Tue Apr 3 09:30:40 2018 (r331917) +++ stable/11/sys/dev/mlx5/mlx5_core/mlx5_eq.c Tue Apr 3 09:31:30 2018 (r331918) @@ -254,7 +254,8 @@ static int mlx5_eq_int(struct mlx5_core_dev *dev, stru break; case MLX5_EVENT_TYPE_CMD: - mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector)); + if (dev->state != MLX5_DEVICE_STATE_INTERNAL_ERROR) + mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector)); break; case MLX5_EVENT_TYPE_PORT_CHANGE:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804030931.w339VU2i047530>