From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: michal.kalderon@marvell.com, linux-rdma@vger.kernel.org
Subject: Re: [bug report] RDMA/qedr: Add doorbell overflow recovery support
Date: Wed, 6 Nov 2019 11:38:57 -0400 [thread overview]
Message-ID: <20191106153857.GB15851@ziepe.ca> (raw)
In-Reply-To: <20191106075259.GA22565@mwanda>
On Wed, Nov 06, 2019 at 10:52:59AM +0300, Dan Carpenter wrote:
> Hello Michal Kalderon,
>
> This is a semi-automatic email about new static checker warnings.
>
> The patch 9bcc6597f47b: "RDMA/qedr: Add doorbell overflow recovery
> support" from Oct 30, 2019, leads to the following Smatch complaint:
>
> drivers/infiniband/hw/qedr/verbs.c:1046 qedr_create_cq()
> warn: variable dereferenced before check 'ctx' (see line 970)
>
> drivers/infiniband/hw/qedr/verbs.c
> 905 int qedr_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
> 906 struct ib_udata *udata)
> 907 {
> 908 struct ib_device *ibdev = ibcq->device;
> 909 struct qedr_ucontext *ctx = rdma_udata_to_drv_context(
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 910 udata, struct qedr_ucontext, ibucontext);
> 911 struct qed_rdma_destroy_cq_out_params destroy_oparams;
> 912 struct qed_rdma_destroy_cq_in_params destroy_iparams;
> 913 struct qedr_dev *dev = get_qedr_dev(ibdev);
> 914 struct qed_rdma_create_cq_in_params params;
> 915 struct qedr_create_cq_ureq ureq = {};
> 916 int vector = attr->comp_vector;
> 917 int entries = attr->cqe;
> 918 struct qedr_cq *cq = get_qedr_cq(ibcq);
> 919 int chain_entries;
> 920 u32 db_offset;
> 921 int page_cnt;
> 922 u64 pbl_ptr;
> 923 u16 icid;
> 924 int rc;
> 925
> 926 DP_DEBUG(dev, QEDR_MSG_INIT,
> 927 "create_cq: called from %s. entries=%d, vector=%d\n",
> 928 udata ? "User Lib" : "Kernel", entries, vector);
> 929
> 930 if (entries > QEDR_MAX_CQES) {
> 931 DP_ERR(dev,
> 932 "create cq: the number of entries %d is too high. Must be equal or below %d.\n",
> 933 entries, QEDR_MAX_CQES);
> 934 return -EINVAL;
> 935 }
> 936
> 937 chain_entries = qedr_align_cq_entries(entries);
> 938 chain_entries = min_t(int, chain_entries, QEDR_MAX_CQES);
> 939
> 940 /* calc db offset. user will add DPI base, kernel will add db addr */
> 941 db_offset = DB_ADDR_SHIFT(DQ_PWM_OFFSET_UCM_RDMA_CQ_CONS_32BIT);
> 942
> 943 if (udata) {
> 944 if (ib_copy_from_udata(&ureq, udata, min(sizeof(ureq),
> 945 udata->inlen))) {
> 946 DP_ERR(dev,
> 947 "create cq: problem copying data from user space\n");
> 948 goto err0;
> 949 }
> 950
> 951 if (!ureq.len) {
> 952 DP_ERR(dev,
> 953 "create cq: cannot create a cq with 0 entries\n");
> 954 goto err0;
> 955 }
> 956
> 957 cq->cq_type = QEDR_CQ_TYPE_USER;
> 958
> 959 rc = qedr_init_user_queue(udata, dev, &cq->q, ureq.addr,
> 960 ureq.len, true,
> 961 IB_ACCESS_LOCAL_WRITE,
> 962 1, 1);
> 963 if (rc)
> 964 goto err0;
> 965
> 966 pbl_ptr = cq->q.pbl_tbl->pa;
> 967 page_cnt = cq->q.pbl_info.num_pbes;
> 968
> 969 cq->ibcq.cqe = chain_entries;
> 970 cq->q.db_addr = ctx->dpi_addr + db_offset;
> ^^^^^^^^^^^^^
> New unchecked dereference.
For rdma_udata_to_drv_context(), udata != NULL implies ctx != NULL
Generally I prefer to see the rdma_udata_to_drv_context() as a local
variable inside an 'if (udata)' but this is one of those places where
that doesn't work out.
Jason
next prev parent reply other threads:[~2019-11-06 15:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-06 7:52 [bug report] RDMA/qedr: Add doorbell overflow recovery support Dan Carpenter
2019-11-06 15:38 ` Jason Gunthorpe [this message]
2019-11-07 11:40 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191106153857.GB15851@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=dan.carpenter@oracle.com \
--cc=linux-rdma@vger.kernel.org \
--cc=michal.kalderon@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).