projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f17966f)
bnxt_re: fix a crash in qp error event processing
authorSriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Tue, 31 Oct 2017 09:29:17 +0000 (14:59 +0530)
committerDoug Ledford <dledford@redhat.com>
Mon, 13 Nov 2017 20:01:25 +0000 (15:01 -0500)
In bnxt_qplib_process_qp_event(), for qp error events we look up the
qp-handle and pass it for further processing. But we don't check if the
handle is NULL. This could lead to a crash in the called functions when
that qp-handle is dereferenced, if the qp is destroyed in the meantime.
Fix this by checking for a valid qp-handle in that function.

Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c patch | blob | history

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
index 6d11614..a7b5de3 100644 (file)
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
@@ -302,6 +302,8 @@ static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw,
                        "QPLIB: qpid 0x%x, req_err=0x%x, resp_err=0x%x\n",
                        qp_id, err_event->req_err_state_reason,
                        err_event->res_err_state_reason);
+               if (!qp)
+                       break;
                bnxt_qplib_acquire_cq_locks(qp, &flags);
                bnxt_qplib_mark_qp_error(qp);
                bnxt_qplib_release_cq_locks(qp, &flags);
Domain: System / Kernel;