* [patch] IB/core: off by one in error handling
@ 2015-08-18 9:23 Dan Carpenter
2015-08-29 1:18 ` ira.weiny
2015-09-03 17:39 ` Doug Ledford
0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2015-08-18 9:23 UTC (permalink / raw)
To: Doug Ledford, Matan Barak
Cc: Sean Hefty, Hal Rosenstock, Jason Gunthorpe, Ira Weiny,
Haggai Eran, Moni Shoua, linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
This is a zero offset array. The current code could try to free random
memory and crash. Also it leaks the first element.
Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index a9d5c70..f5d14a7 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
return 0;
rollback_table_setup:
- for (port = 1; port <= ib_dev->phys_port_cnt; port++)
+ for (port = 0; port < ib_dev->phys_port_cnt; port++)
free_gid_table(ib_dev, port, table[port]);
kfree(table);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] IB/core: off by one in error handling
2015-08-18 9:23 [patch] IB/core: off by one in error handling Dan Carpenter
@ 2015-08-29 1:18 ` ira.weiny
2015-08-29 3:59 ` Doug Ledford
2015-09-03 17:39 ` Doug Ledford
1 sibling, 1 reply; 4+ messages in thread
From: ira.weiny @ 2015-08-29 1:18 UTC (permalink / raw)
To: Dan Carpenter
Cc: Doug Ledford, Matan Barak, Sean Hefty, Hal Rosenstock,
Jason Gunthorpe, Haggai Eran, Moni Shoua,
linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
> This is a zero offset array. The current code could try to free random
> memory and crash. Also it leaks the first element.
>
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
I don't actually see this in Dougs to-be-rebased/for-4.3 tree.
Looks like Doug picked up a different version of the patch in the latest
rebase.
annotating cache.c I see a different change from Matan in commit
76680c1cfc5ab
+rollback_table_setup:
+ for (port = 0; port < ib_dev->phys_port_cnt; port++) {
+ cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
+ table[port]);
+ release_gid_table(table[port]);
+ }
Ira
>
> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
> return 0;
>
> rollback_table_setup:
> - for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> + for (port = 0; port < ib_dev->phys_port_cnt; port++)
> free_gid_table(ib_dev, port, table[port]);
>
> kfree(table);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] IB/core: off by one in error handling
2015-08-29 1:18 ` ira.weiny
@ 2015-08-29 3:59 ` Doug Ledford
0 siblings, 0 replies; 4+ messages in thread
From: Doug Ledford @ 2015-08-29 3:59 UTC (permalink / raw)
To: ira.weiny, Dan Carpenter
Cc: Matan Barak, Sean Hefty, Hal Rosenstock, Jason Gunthorpe,
Haggai Eran, Moni Shoua, linux-rdma, kernel-janitors
[-- Attachment #1: Type: text/plain, Size: 1798 bytes --]
On 08/28/2015 09:18 PM, ira.weiny wrote:
> On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
>> This is a zero offset array. The current code could try to free random
>> memory and crash. Also it leaks the first element.
>>
>> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> I don't actually see this in Dougs to-be-rebased/for-4.3 tree.
>
> Looks like Doug picked up a different version of the patch in the latest
> rebase.
>
> annotating cache.c I see a different change from Matan in commit
>
> 76680c1cfc5ab
>
> +rollback_table_setup:
> + for (port = 0; port < ib_dev->phys_port_cnt; port++) {
> + cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
> + table[port]);
> + release_gid_table(table[port]);
> + }
>
> Ira
Correct, so I dropped this patch.
>>
>> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
>> index a9d5c70..f5d14a7 100644
>> --- a/drivers/infiniband/core/cache.c
>> +++ b/drivers/infiniband/core/cache.c
>> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>> return 0;
>>
>> rollback_table_setup:
>> - for (port = 1; port <= ib_dev->phys_port_cnt; port++)
>> + for (port = 0; port < ib_dev->phys_port_cnt; port++)
>> free_gid_table(ib_dev, port, table[port]);
>>
>> kfree(table);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Doug Ledford <dledford@redhat.com>
GPG KeyID: 0E572FDD
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] IB/core: off by one in error handling
2015-08-18 9:23 [patch] IB/core: off by one in error handling Dan Carpenter
2015-08-29 1:18 ` ira.weiny
@ 2015-09-03 17:39 ` Doug Ledford
1 sibling, 0 replies; 4+ messages in thread
From: Doug Ledford @ 2015-09-03 17:39 UTC (permalink / raw)
To: Dan Carpenter, Matan Barak
Cc: Sean Hefty, Hal Rosenstock, Jason Gunthorpe, Ira Weiny,
Haggai Eran, Moni Shoua, linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]
On 08/18/2015 05:23 AM, Dan Carpenter wrote:
> This is a zero offset array. The current code could try to free random
> memory and crash. Also it leaks the first element.
>
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
This one, however, was not needed after Matan's fixup series was applied.
> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
> return 0;
>
> rollback_table_setup:
> - for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> + for (port = 0; port < ib_dev->phys_port_cnt; port++)
> free_gid_table(ib_dev, port, table[port]);
>
> kfree(table);
>
--
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
GPG KeyID: 0E572FDD
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-03 17:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-18 9:23 [patch] IB/core: off by one in error handling Dan Carpenter
2015-08-29 1:18 ` ira.weiny
2015-08-29 3:59 ` Doug Ledford
2015-09-03 17:39 ` Doug Ledford
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).