Commit 73ee9c60 authored Oct 17, 2022 by Brett Creeley Committed by Lipeng Sang May 18, 2023

ionic: catch NULL pointer issue on reconfig

stable inclusion
from stable-v5.10.152
commit 191d71c6357ef6e64b07e37b1e28c44480526d5a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I73HJ0

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=191d71c6357ef6e64b07e37b1e28c44480526d5a



--------------------------------

[ Upstream commit aa1d7e12 ]

It's possible that the driver will dereference a qcq that doesn't exist
when calling ionic_reconfigure_queues(), which causes a page fault BUG.

If a reduction in the number of queues is followed by a different
reconfig such as changing the ring size, the driver can hit a NULL
pointer when trying to clean up non-existent queues.

Fix this by checking to make sure both the qcqs array and qcq entry
exists bofore trying to use and free the entry.

Fixes: 101b40a0 ("ionic: change queue count with no reset")
Signed-off-by: Brett Creeley <brett@pensando.io>
Signed-off-by: Shannon Nelson <snelson@pensando.io>
Link: https://lore.kernel.org/r/20221017233123.15869-1-snelson@pensando.io


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lipeng Sang <sanglipeng1@jd.com>

parent 98b75211

drivers/net/ethernet/pensando/ionic/ionic_lif.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -2383,12 +2383,16 @@ int ionic_reconfigure_queues(struct ionic_lif *lif,
		* than the full array, but leave the qcq shells in place
		*/
		for (i = lif->nxqs; i < lif->ionic->ntxqs_per_lif; i++) {
		if (lif->txqcqs && lif->txqcqs[i]) {
		lif->txqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
		ionic_qcq_free(lif, lif->txqcqs[i]);
		}

		if (lif->rxqcqs && lif->rxqcqs[i]) {
		lif->rxqcqs[i]->flags &= ~IONIC_QCQ_F_INTR;
		ionic_qcq_free(lif, lif->rxqcqs[i]);
		}
		}

		return err;
		}