Fix NULL pointer dereference during device removal in ibcore.

As part of ib_uverbs_remove_one which might be triggered upon reset flow, we trigger IB_EVENT_DEVICE_FATAL event to userspace application. If device was removed after uverbs fd was opened but before ib_uverbs_get_context was called, the event file will be accessed before it was allocated, result in NULL pointer dereference: Linux commit: 870201f95fcbd19538aef630393fe9d583eff82e MFC after: 1 week Sponsored by: Mellanox Technologies
2018-07-17 09:16:54 +00:00 · 2018-07-17 09:16:54 +00:00 · b76d21e418
commit b76d21e418
parent 81f6270976
1 changed files with 1 additions and 1 deletions
--- a/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
+++ b/sys/ofed/drivers/infiniband/core/ib_uverbs_main.c
@ -1274,7 +1274,6 @@ static void ib_uverbs_free_hw_resources(struct ib_uverbs_device *uverbs_dev,
 		kref_get(&file->ref);
 		mutex_unlock(&uverbs_dev->lists_mutex);

-		ib_uverbs_event_handler(&file->event_handler, &event);

 		mutex_lock(&file->cleanup_mutex);
 		ucontext = file->ucontext;
@ -1291,6 +1290,7 @@ static void ib_uverbs_free_hw_resources(struct ib_uverbs_device *uverbs_dev,
 			 * for example due to freeing the resources
 			 * (e.g mmput).
 			 */
+			ib_uverbs_event_handler(&file->event_handler, &event);
 			ib_dev->disassociate_ucontext(ucontext);
 			ib_uverbs_cleanup_ucontext(file, ucontext);
 		}