infiniband/qedr: Potential null ptr dereference of qp
diff mbox series

Message ID 20181224182445.21256-1-pakki001@umn.edu
State In Next
Commit 9c6260de505b63638dd86fcc33849b17f6146d94
Headers show
Series
  • infiniband/qedr: Potential null ptr dereference of qp
Related show

Commit Message

Aditya Pakki Dec. 24, 2018, 6:24 p.m. UTC
idr_find() may fail and return a NULL pointer. The fix checks the
return value of the function and returns an error in case of NULL.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
---
 drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Leon Romanovsky Dec. 25, 2018, 4:26 a.m. UTC | #1
On Mon, Dec 24, 2018 at 12:24:45PM -0600, Aditya Pakki wrote:
> idr_find() may fail and return a NULL pointer. The fix checks the
> return value of the function and returns an error in case of NULL.
>
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> index 505fa3648762..93b16237b767 100644
> --- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> +++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> @@ -492,6 +492,8 @@ int qedr_iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
>  	int i;
>
>  	qp = idr_find(&dev->qpidr.idr, conn_param->qpn);
> +	if (unlikely(!qp))
> +		return -EINVAL;

As was already pointed, qedr is racy in their accesses to idr_find() and
NULL pointer is less worry about their IDR code.

>
>  	laddr = (struct sockaddr_in *)&cm_id->m_local_addr;
>  	raddr = (struct sockaddr_in *)&cm_id->m_remote_addr;
> --
> 2.17.1
>
Michal Kalderon Dec. 25, 2018, 1:13 p.m. UTC | #2
> From: Aditya Pakki <pakki001@umn.edu>
> Sent: Monday, December 24, 2018 8:25 PM
> 
> External Email
> 
> ----------------------------------------------------------------------
> External Email
> 
> idr_find() may fail and return a NULL pointer. The fix checks the return value
> of the function and returns an error in case of NULL.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> index 505fa3648762..93b16237b767 100644
> --- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> +++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
> @@ -492,6 +492,8 @@ int qedr_iw_connect(struct iw_cm_id *cm_id, struct
> iw_cm_conn_param *conn_param)
>         int i;
> 
>         qp = idr_find(&dev->qpidr.idr, conn_param->qpn);
> +       if (unlikely(!qp))
> +               return -EINVAL;
> 
>         laddr = (struct sockaddr_in *)&cm_id->m_local_addr;
>         raddr = (struct sockaddr_in *)&cm_id->m_remote_addr;
> --
> 2.17.1

Thanks,

Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
Jason Gunthorpe Jan. 2, 2019, 11:28 p.m. UTC | #3
On Mon, Dec 24, 2018 at 12:24:45PM -0600, Aditya Pakki wrote:
> idr_find() may fail and return a NULL pointer. The fix checks the
> return value of the function and returns an error in case of NULL.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
> ---
>  drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 ++
>  1 file changed, 2 insertions(+)

Applied to for-rc thanks

Jason

Patch
diff mbox series

diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index 505fa3648762..93b16237b767 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -492,6 +492,8 @@  int qedr_iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
 	int i;
 
 	qp = idr_find(&dev->qpidr.idr, conn_param->qpn);
+	if (unlikely(!qp))
+		return -EINVAL;
 
 	laddr = (struct sockaddr_in *)&cm_id->m_local_addr;
 	raddr = (struct sockaddr_in *)&cm_id->m_remote_addr;