svn commit: r348412 - head/sys/dev/ena

Marcin Wojtas mw at FreeBSD.org
Thu May 30 13:42:54 UTC 2019 

Author: mw
Date: Thu May 30 13:42:52 2019
New Revision: 348412
URL: https://svnweb.freebsd.org/changeset/base/348412

Log:
  Fix NULL pointer dereference in ena_up()
  
  If the call to ena_up() in ena_restore_device() fails, next usage of
  `ifconfig up` will cause NULL pointer dereference.
  
  This patch adds additional checks to prevent that.
  
  Submitted by:  Rafal Kozik <rk at semihalf.com>
  Obtained from: Semihalf
  Sponsored by:  Amazon, Inc.

Modified:
  head/sys/dev/ena/ena.c

Modified: head/sys/dev/ena/ena.c
==============================================================================
--- head/sys/dev/ena/ena.c	Thu May 30 13:41:39 2019	(r348411)
+++ head/sys/dev/ena/ena.c	Thu May 30 13:42:52 2019	(r348412)
@@ -134,7 +134,7 @@ static void	ena_cleanup(void *arg, int pending);
 static int	ena_handle_msix(void *);
 static int	ena_enable_msix(struct ena_adapter *);
 static void	ena_setup_mgmnt_intr(struct ena_adapter *);
-static void	ena_setup_io_intr(struct ena_adapter *);
+static int	ena_setup_io_intr(struct ena_adapter *);
 static int	ena_request_mgmnt_irq(struct ena_adapter *);
 static int	ena_request_io_irq(struct ena_adapter *);
 static void	ena_free_mgmnt_irq(struct ena_adapter *);
@@ -1969,12 +1969,15 @@ ena_setup_mgmnt_intr(struct ena_adapter *adapter)
 	    adapter->msix_entries[ENA_MGMNT_IRQ_IDX].vector;
 }
 
-static void
+static int
 ena_setup_io_intr(struct ena_adapter *adapter)
 {
 	static int last_bind_cpu = -1;
 	int irq_idx;
 
+	if (adapter->msix_entries == NULL)
+		return (EINVAL);
+
 	for (int i = 0; i < adapter->num_queues; i++) {
 		irq_idx = ENA_IO_IRQ_IDX(i);
 
@@ -1997,6 +2000,8 @@ ena_setup_io_intr(struct ena_adapter *adapter)
 		    last_bind_cpu;
 		last_bind_cpu = CPU_NEXT(last_bind_cpu);
 	}
+
+	return (0);
 }
 
 static int
@@ -2290,11 +2295,15 @@ ena_up(struct ena_adapter *adapter)
 		device_printf(adapter->pdev, "device is going UP\n");
 
 		/* setup interrupts for IO queues */
-		ena_setup_io_intr(adapter);
+		rc = ena_setup_io_intr(adapter);
+		if (unlikely(rc != 0)) {
+			ena_trace(ENA_ALERT, "error setting up IO interrupt\n");
+			goto error;
+		}
 		rc = ena_request_io_irq(adapter);
 		if (unlikely(rc != 0)) {
 			ena_trace(ENA_ALERT, "err_req_irq\n");
-			goto err_req_irq;
+			goto error;
 		}
 
 		/* allocate transmit descriptors */
@@ -2351,7 +2360,7 @@ err_setup_rx:
 	ena_free_all_tx_resources(adapter);
 err_setup_tx:
 	ena_free_io_irq(adapter);
-err_req_irq:
+error:
 	return (rc);
 }

More information about the svn-src-head mailing list