[thirdparty/kernel/stable-queue.git] / releases / 4.16.8 / ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch

From 45d924571a5e1329580811f2419da61b07ac3613 Mon Sep 17 00:00:00 2001
From: Sebastian Sanchez <sebastian.sanchez@intel.com>
Date: Tue, 1 May 2018 05:35:58 -0700
Subject: IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used

From: Sebastian Sanchez <sebastian.sanchez@intel.com>

commit 45d924571a5e1329580811f2419da61b07ac3613 upstream.

When an invalid num_vls is used as a module parameter, the code
execution follows an exception path where the macro dd_dev_err()
expects dd->pcidev->dev not to be NULL in hfi1_init_dd(). This
causes a NULL pointer dereference.

Fix hfi1_init_dd() by initializing dd->pcidev and dd->pcidev->dev
earlier in the code. If a dd exists, then dd->pcidev and
dd->pcidev->dev always exists.

BUG: unable to handle kernel NULL pointer dereference
at 00000000000000f0
IP: __dev_printk+0x15/0x90
Workqueue: events work_for_cpu_fn
RIP: 0010:__dev_printk+0x15/0x90
Call Trace:
 dev_err+0x6c/0x90
 ? hfi1_init_pportdata+0x38d/0x3f0 [hfi1]
 hfi1_init_dd+0xdd/0x2530 [hfi1]
 ? pci_conf1_read+0xb2/0xf0
 ? pci_read_config_word.part.9+0x64/0x80
 ? pci_conf1_write+0xb0/0xf0
 ? pcie_capability_clear_and_set_word+0x57/0x80
 init_one+0x141/0x490 [hfi1]
 local_pci_probe+0x3f/0xa0
 work_for_cpu_fn+0x10/0x20
 process_one_work+0x152/0x350
 worker_thread+0x1cf/0x3e0
 kthread+0xf5/0x130
 ? max_active_store+0x80/0x80
 ? kthread_bind+0x10/0x10
 ? do_syscall_64+0x6e/0x1a0
 ? SyS_exit_group+0x10/0x10
 ret_from_fork+0x35/0x40

Cc: <stable@vger.kernel.org> # 4.9.x
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/init.c |    2 ++
 drivers/infiniband/hw/hfi1/pcie.c |    3 ---
 2 files changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -1265,6 +1265,8 @@ struct hfi1_devdata *hfi1_alloc_devdata(
 		return ERR_PTR(-ENOMEM);
 	dd->num_pports = nports;
 	dd->pport = (struct hfi1_pportdata *)(dd + 1);
+	dd->pcidev = pdev;
+	pci_set_drvdata(pdev, dd);
 
 	INIT_LIST_HEAD(&dd->list);
 	idr_preload(GFP_KERNEL);
--- a/drivers/infiniband/hw/hfi1/pcie.c
+++ b/drivers/infiniband/hw/hfi1/pcie.c
@@ -163,9 +163,6 @@ int hfi1_pcie_ddinit(struct hfi1_devdata
 	resource_size_t addr;
 	int ret = 0;
 
-	dd->pcidev = pdev;
-	pci_set_drvdata(pdev, dd);
-
 	addr = pci_resource_start(pdev, 0);
 	len = pci_resource_len(pdev, 0);
Commit	Line	Data
56a10581 GKH	1	From 45d924571a5e1329580811f2419da61b07ac3613 Mon Sep 17 00:00:00 2001
	2	From: Sebastian Sanchez <sebastian.sanchez@intel.com>
	3	Date: Tue, 1 May 2018 05:35:58 -0700
	4	Subject: IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
	5
	6	From: Sebastian Sanchez <sebastian.sanchez@intel.com>
	7
	8	commit 45d924571a5e1329580811f2419da61b07ac3613 upstream.
	9
	10	When an invalid num_vls is used as a module parameter, the code
	11	execution follows an exception path where the macro dd_dev_err()
	12	expects dd->pcidev->dev not to be NULL in hfi1_init_dd(). This
	13	causes a NULL pointer dereference.
	14
	15	Fix hfi1_init_dd() by initializing dd->pcidev and dd->pcidev->dev
	16	earlier in the code. If a dd exists, then dd->pcidev and
	17	dd->pcidev->dev always exists.
	18
	19	BUG: unable to handle kernel NULL pointer dereference
	20	at 00000000000000f0
	21	IP: __dev_printk+0x15/0x90
	22	Workqueue: events work_for_cpu_fn
	23	RIP: 0010:__dev_printk+0x15/0x90
	24	Call Trace:
	25	dev_err+0x6c/0x90
	26	? hfi1_init_pportdata+0x38d/0x3f0 [hfi1]
	27	hfi1_init_dd+0xdd/0x2530 [hfi1]
	28	? pci_conf1_read+0xb2/0xf0
	29	? pci_read_config_word.part.9+0x64/0x80
	30	? pci_conf1_write+0xb0/0xf0
	31	? pcie_capability_clear_and_set_word+0x57/0x80
	32	init_one+0x141/0x490 [hfi1]
	33	local_pci_probe+0x3f/0xa0
	34	work_for_cpu_fn+0x10/0x20
	35	process_one_work+0x152/0x350
	36	worker_thread+0x1cf/0x3e0
	37	kthread+0xf5/0x130
	38	? max_active_store+0x80/0x80
	39	? kthread_bind+0x10/0x10
	40	? do_syscall_64+0x6e/0x1a0
	41	? SyS_exit_group+0x10/0x10
	42	ret_from_fork+0x35/0x40
	43
	44	Cc: <stable@vger.kernel.org> # 4.9.x
	45	Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
	46	Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
	47	Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
	48	Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
	49	Signed-off-by: Doug Ledford <dledford@redhat.com>
	50	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	51
	52	---
	53	drivers/infiniband/hw/hfi1/init.c \| 2 ++
	54	drivers/infiniband/hw/hfi1/pcie.c \| 3 ---
	55	2 files changed, 2 insertions(+), 3 deletions(-)
	56
	57	--- a/drivers/infiniband/hw/hfi1/init.c
	58	+++ b/drivers/infiniband/hw/hfi1/init.c
	59	@@ -1265,6 +1265,8 @@ struct hfi1_devdata *hfi1_alloc_devdata(
	60	return ERR_PTR(-ENOMEM);
	61	dd->num_pports = nports;
	62	dd->pport = (struct hfi1_pportdata *)(dd + 1);
	63	+ dd->pcidev = pdev;
	64	+ pci_set_drvdata(pdev, dd);
65
66	INIT_LIST_HEAD(&dd->list);
67	idr_preload(GFP_KERNEL);
68	--- a/drivers/infiniband/hw/hfi1/pcie.c
69	+++ b/drivers/infiniband/hw/hfi1/pcie.c
70	@@ -163,9 +163,6 @@ int hfi1_pcie_ddinit(struct hfi1_devdata
71	resource_size_t addr;
72	int ret = 0;
73
74	- dd->pcidev = pdev;
75	- pci_set_drvdata(pdev, dd);
76	-
77	addr = pci_resource_start(pdev, 0);
78	len = pci_resource_len(pdev, 0);
79