From 82b809374bc6841d953691f4c8b7438bfa52c8de Mon Sep 17 00:00:00 2001
From: Dotan Barak <dotanb@dev.mellanox.co.il>
Date: Tue, 12 Jun 2012 11:01:41 +0300
Subject: [PATCH] ipoib: fixed NULL dereferencing in case of error flow

In case of failure, result will be equal to zero, which may
lead to NULL dereferencing and having the following kernel panic:

BUG: unable to handle kernel paging request at 00000000000010e8
IP: [<ffffffff8127b814>] __list_add+0x34/0xa0
PGD 116536067 PUD 11bc42067 PMD 0
Oops: 0002 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:07.0/infiniband/mlx4_0/node_desc
CPU 1
Modules linked in: ib_ipoib(+)(U) rdma_ucm(U) ib_ucm(U) rdma_cm(U) iw_cm(U) ib_addr(U) ib_cm(U) ib_uverbs(U) ib_umad(U) mlx4_ib(U) ib_sa(U) ib_mad(U) ib_core(U) mlx4_en(U) mlx4_core(U) netconsole configfs nfs fscache nfsd lockd nfs_acl auth_rpcgss exportfs autofs4 sunrpc ipv6 knem(U) microcode virtio_balloon memtrack(U) virtio_net snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i2c_piix4 i2c_core ext3 jbd mbcache virtio_blk virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ib_ipoib]

Pid: 2387, comm: insmod Not tainted 2.6.32-220.el6.x86_64 #1 Red Hat KVM
RIP: 0010:[<ffffffff8127b814>]  [<ffffffff8127b814>] __list_add+0x34/0xa0
RSP: 0018:ffff88011b409de8  EFLAGS: 00010246
RAX: 0000000000000004 RBX: 00000000000010e8 RCX: ffff88010868e080
RDX: ffff8801192d9e00 RSI: ffff8801192d9e00 RDI: 00000000000010e8
RBP: ffff88011b409e08 R08: ffff8801192d9e00 R09: 0a64656c69616620
R10: 0000000000000002 R11: 0000000000000000 R12: ffff8801192d9e00
R13: ffff8801192d9e00 R14: ffff88010868e6e0 R15: ffff8801192d9e00
FS:  00007f498bf4f700(0000) GS:ffff880028300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000010e8 CR3: 000000011896f000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process insmod (pid: 2387, threadinfo ffff88011b408000, task ffff88010a4ccb40)
Stack:
 0000000000000001 ffff880118990000 0000000000000002 0000000000000000
<0> ffff88011b409eb8 ffffffffa0410daa ffffffffa041cf20 00000000000005e4
<0> ffff8801000000d0 ffffffffa04201c0 ffff88011fc00040 ffff880118990008
Call Trace:
 [<ffffffffa0410daa>] ipoib_add_one+0x1ea/0x350 [ib_ipoib]
 [<ffffffffa03894bd>] ib_register_client+0x7d/0xa0 [ib_core]
 [<ffffffffa0425200>] ipoib_init_module+0x200/0x296 [ib_ipoib]
 [<ffffffffa0425000>] ? ipoib_init_module+0x0/0x296 [ib_ipoib]
 [<ffffffff8100204c>] do_one_initcall+0x3c/0x1d0
 [<ffffffff810af641>] sys_init_module+0xe1/0x250
 [<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
Code: 89 5d e8 4c 89 65 f0 48 89 fb 4c 89 6d f8 4c 8b 42 08 49 89 f5 49 89 d4 49 39 f0 75 27 4d 8b 45 00 4d 39 c4 75 40 49 89 5c 24 08 <4c> 89 23 4c 89 6b 08 4c 8b 65 f0 49 89 5d 00 48 8b 5d e8 4c 8b
RIP  [<ffffffff8127b814>] __list_add+0x34/0xa0
 RSP <ffff88011b409de8>
CR2: 00000000000010e8
---[ end trace 2c7c92f924933cec ]---
Kernel panic - not syncing: Fatal exception
Pid: 2387, comm: insmod Tainted: G      D    ----------------   2.6.32-220.el6.x86_64 #1
Call Trace:
 [<ffffffff814ec341>] ? panic+0x78/0x143
 [<ffffffff814f04d4>] ? oops_end+0xe4/0x100
 [<ffffffff8104230b>] ? no_context+0xfb/0x260
 [<ffffffff81042595>] ? __bad_area_nosemaphore+0x125/0x1e0
 [<ffffffff81272b1c>] ? put_dec+0x10c/0x110
 [<ffffffff810426be>] ? bad_area+0x4e/0x60
 [<ffffffff81042dc3>] ? __do_page_fault+0x3c3/0x480
 [<ffffffffa0044e59>] ? memtrack_free+0x119/0x270 [memtrack]
 [<ffffffff81275306>] ? vsnprintf+0x2b6/0x5f0
 [<ffffffff8109694f>] ? up+0x2f/0x50
 [<ffffffffa0044e59>] ? memtrack_free+0x119/0x270 [memtrack]
 [<ffffffff814f248e>] ? do_page_fault+0x3e/0xa0
 [<ffffffff814ef845>] ? page_fault+0x25/0x30
 [<ffffffff8127b814>] ? __list_add+0x34/0xa0
 [<ffffffffa0410daa>] ? ipoib_add_one+0x1ea/0x350 [ib_ipoib]
 [<ffffffffa03894bd>] ? ib_register_client+0x7d/0xa0 [ib_core]
 [<ffffffffa0425200>] ? ipoib_init_module+0x200/0x296 [ib_ipoib]
 [<ffffffffa0425000>] ? ipoib_init_module+0x0/0x296 [ib_ipoib]
 [<ffffffff8100204c>] ? do_one_initcall+0x3c/0x1d0
 [<ffffffff810af641>] ? sys_init_module+0xe1/0x250
 [<ffffffff8100b0f2>] ? system_call_fastpath+0x16/0x1b

Signed-off-by: Dotan Barak <dotanb@dev.mellanox.co.il>
Reviewed-by: Erez Shitrit <erezsh@mellanox.co.il>
(Ported from Mellanox OFED 2.4)

Signed-off-by: Mukesh Kacker <mukesh.kacker@oracle.com>
---
 drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 9e1b203d756d..b63a30c7c536 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1598,8 +1598,12 @@ static struct net_device *ipoib_add_port(const char *format,
 		goto device_init_failed;
 	}
 
-	if (ipoib_set_dev_features(priv, hca))
+	result = ipoib_set_dev_features(priv, hca);
+	if (result) {
+		printk(KERN_WARNING "%s: couldn't set features for ipoib port %d; error %d\n",
+		       hca->name, port, result);
 		goto device_init_failed;
+	}
 
 	/*
 	 * Set the full membership bit, so that we join the right
@@ -1644,6 +1648,8 @@ static struct net_device *ipoib_add_port(const char *format,
 
 	ipoib_create_debug_files(priv->dev);
 
+	result = -ENOMEM;
+
 	if (ipoib_cm_add_mode_attr(priv->dev))
 		goto sysfs_failed;
 	if (ipoib_add_pkey_attr(priv->dev))
-- 
2.50.1