[patch] IB/core: off by one in error handling

[patch] IB/core: off by one in error handling

[Dan Carpenter]

This is a zero offset array.  The current code could try to free random
memory and crash.  Also it leaks the first element.

Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index a9d5c70..f5d14a7 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
 	return 0;
 
 rollback_table_setup:
-	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
+	for (port = 0; port < ib_dev->phys_port_cnt; port++)
 		free_gid_table(ib_dev, port, table[port]);
 
 	kfree(table);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] IB/core: off by one in error handling

[ira.weiny]

On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
> This is a zero offset array.  The current code could try to free random
> memory and crash.  Also it leaks the first element.
> 
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>

I don't actually see this in Dougs to-be-rebased/for-4.3 tree.

Looks like Doug picked up a different version of the patch in the latest
rebase.

annotating cache.c I see a different change from Matan in commit

76680c1cfc5ab

+rollback_table_setup:
+       for (port = 0; port < ib_dev->phys_port_cnt; port++) {
+               cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
+                                      table[port]);
+               release_gid_table(table[port]);
+       }

Ira

> 
> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>  	return 0;
>  
>  rollback_table_setup:
> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>  		free_gid_table(ib_dev, port, table[port]);
>  
>  	kfree(table);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [patch] IB/core: off by one in error handling

[Doug Ledford]

[-- Attachment #1: Type: text/plain, Size: 1798 bytes --]

On 08/28/2015 09:18 PM, ira.weiny wrote:
> On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
>> This is a zero offset array.  The current code could try to free random
>> memory and crash.  Also it leaks the first element.
>>
>> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> I don't actually see this in Dougs to-be-rebased/for-4.3 tree.
> 
> Looks like Doug picked up a different version of the patch in the latest
> rebase.
> 
> annotating cache.c I see a different change from Matan in commit
> 
> 76680c1cfc5ab
> 
> +rollback_table_setup:
> +       for (port = 0; port < ib_dev->phys_port_cnt; port++) {
> +               cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
> +                                      table[port]);
> +               release_gid_table(table[port]);
> +       }
> 
> Ira

Correct, so I dropped this patch.

>>
>> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
>> index a9d5c70..f5d14a7 100644
>> --- a/drivers/infiniband/core/cache.c
>> +++ b/drivers/infiniband/core/cache.c
>> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>>  	return 0;
>>  
>>  rollback_table_setup:
>> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
>> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>>  		free_gid_table(ib_dev, port, table[port]);
>>  
>>  	kfree(table);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


-- 
Doug Ledford <dledford@redhat.com>
              GPG KeyID: 0E572FDD



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]

Re: [patch] IB/core: off by one in error handling

[Doug Ledford]

[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]

On 08/18/2015 05:23 AM, Dan Carpenter wrote:
> This is a zero offset array.  The current code could try to free random
> memory and crash.  Also it leaks the first element.
> 
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>

This one, however, was not needed after Matan's fixup series was applied.

> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>  	return 0;
>  
>  rollback_table_setup:
> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>  		free_gid_table(ib_dev, port, table[port]);
>  
>  	kfree(table);
> 


-- 
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
              GPG KeyID: 0E572FDD



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]