net/mlx5: Avoid dereferencing uninitialized pointer

Submitted by Talat Batheesh on March 29, 2017, 10:49 a.m.

Details

Message ID 1490784571-52869-1-git-send-email-talatb@mellanox.com
State New
Headers show

Commit Message

Talat Batheesh March 29, 2017, 10:49 a.m.
BugLink: http://bugs.launchpad.net/bugs/1676786

In NETDEV_CHANGEUPPER event the upper_info field is valid
only when linking is true. Otherwise it should be ignored.

Fixes: 7907f23adc18 (net/mlx5: Implement RoCE LAG feature)
Signed-off-by: Talat Batheesh <talatb@mellanox.com>
Reviewed-by: Aviv Heller <avivh@mellanox.com>
Reviewed-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e497ec680c4cd51e76bfcdd49363d9ab8d32a757)
---
 drivers/net/ethernet/mellanox/mlx5/core/lag.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Tim Gardner March 29, 2017, 12:20 p.m.
On 03/29/2017 04:49 AM, Talat Batheesh wrote:
> BugLink: http://bugs.launchpad.net/bugs/1676786
> 
> In NETDEV_CHANGEUPPER event the upper_info field is valid
> only when linking is true. Otherwise it should be ignored.
> 
> Fixes: 7907f23adc18 (net/mlx5: Implement RoCE LAG feature)
> Signed-off-by: Talat Batheesh <talatb@mellanox.com>
> Reviewed-by: Aviv Heller <avivh@mellanox.com>
> Reviewed-by: Moni Shoua <monis@mellanox.com>
> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit e497ec680c4cd51e76bfcdd49363d9ab8d32a757)
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/lag.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> index 5595724..b5d5519 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> @@ -294,7 +294,7 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
>  					 struct netdev_notifier_changeupper_info *info)
>  {
>  	struct net_device *upper = info->upper_dev, *ndev_tmp;
> -	struct netdev_lag_upper_info *lag_upper_info;
> +	struct netdev_lag_upper_info *lag_upper_info = NULL;
>  	bool is_bonded;
>  	int bond_status = 0;
>  	int num_slaves = 0;
> @@ -303,7 +303,8 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
>  	if (!netif_is_lag_master(upper))
>  		return 0;
>  
> -	lag_upper_info = info->upper_info;
> +	if (info->linking)
> +		lag_upper_info = info->upper_info;
>  
>  	/* The event may still be of interest if the slave does not belong to
>  	 * us, but is enslaved to a master which has one or more of our netdevs
> 

I can't find this patch in linux or linux-next so I'm marking it SAUCE.
A patch is 'cherry picked' only when it comes from Linus' repository, or
sometimes linux-next.
Talat Batheesh March 29, 2017, 12:27 p.m.
You are right,
This patch is fresh, yesterday submitted and applied to David S. Miller tree.

You can find it in this tree
dave_net        git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git (fetch)

Thanks,
Talat

-----Original Message-----
From: Tim Gardner [mailto:tim.gardner@canonical.com] 
Sent: Wednesday, March 29, 2017 3:21 PM
To: Talat Batheesh <talatb@mellanox.com>; kernel-team@lists.canonical.com
Cc: Noa Spanier <noas@mellanox.com>
Subject: APPLIED: [PATCH] net/mlx5: Avoid dereferencing uninitialized pointer

On 03/29/2017 04:49 AM, Talat Batheesh wrote:
> BugLink: http://bugs.launchpad.net/bugs/1676786
> 
> In NETDEV_CHANGEUPPER event the upper_info field is valid only when 
> linking is true. Otherwise it should be ignored.
> 
> Fixes: 7907f23adc18 (net/mlx5: Implement RoCE LAG feature)
> Signed-off-by: Talat Batheesh <talatb@mellanox.com>
> Reviewed-by: Aviv Heller <avivh@mellanox.com>
> Reviewed-by: Moni Shoua <monis@mellanox.com>
> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked 
> from commit e497ec680c4cd51e76bfcdd49363d9ab8d32a757)
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/lag.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c 
> b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> index 5595724..b5d5519 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
> @@ -294,7 +294,7 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
>  					 struct netdev_notifier_changeupper_info *info)  {
>  	struct net_device *upper = info->upper_dev, *ndev_tmp;
> -	struct netdev_lag_upper_info *lag_upper_info;
> +	struct netdev_lag_upper_info *lag_upper_info = NULL;
>  	bool is_bonded;
>  	int bond_status = 0;
>  	int num_slaves = 0;
> @@ -303,7 +303,8 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
>  	if (!netif_is_lag_master(upper))
>  		return 0;
>  
> -	lag_upper_info = info->upper_info;
> +	if (info->linking)
> +		lag_upper_info = info->upper_info;
>  
>  	/* The event may still be of interest if the slave does not belong to
>  	 * us, but is enslaved to a master which has one or more of our 
> netdevs
> 

I can't find this patch in linux or linux-next so I'm marking it SAUCE.
A patch is 'cherry picked' only when it comes from Linus' repository, or sometimes linux-next.

--
Tim Gardner tim.gardner@canonical.com

Patch hide | download patch | download mbox

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
index 5595724..b5d5519 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
@@ -294,7 +294,7 @@  static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
 					 struct netdev_notifier_changeupper_info *info)
 {
 	struct net_device *upper = info->upper_dev, *ndev_tmp;
-	struct netdev_lag_upper_info *lag_upper_info;
+	struct netdev_lag_upper_info *lag_upper_info = NULL;
 	bool is_bonded;
 	int bond_status = 0;
 	int num_slaves = 0;
@@ -303,7 +303,8 @@  static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
 	if (!netif_is_lag_master(upper))
 		return 0;
 
-	lag_upper_info = info->upper_info;
+	if (info->linking)
+		lag_upper_info = info->upper_info;
 
 	/* The event may still be of interest if the slave does not belong to
 	 * us, but is enslaved to a master which has one or more of our netdevs