2019-04-13 16:02:46

by Colin King

[permalink] [raw]
Subject: [PATCH] RDMA/cxgb4: fix null pointer dereference on alloc_skb failure

From: Colin Ian King <[email protected]>

Currently if alloc_skb fails to allocate the skb a null skb is passed
to t4_set_arp_err_handler and this ends up dereferencing the null skb.
Avoid the null pointer dereference by checking for a null skb and
returning early.

Addresses-Coverity: ("Dereference null return")
Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
Signed-off-by: Colin Ian King <[email protected]>
---
drivers/infiniband/hw/cxgb4/cm.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 1e68d87b663d..0f3b1193d5f8 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -460,6 +460,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
skb_reset_transport_header(skb);
} else {
skb = alloc_skb(len, gfp);
+ if (!skb)
+ return NULL;
}
t4_set_arp_err_handler(skb, NULL, NULL);
return skb;
--
2.20.1


2019-04-15 07:55:55

by Potnuri Bharat Teja

[permalink] [raw]
Subject: Re: [PATCH] RDMA/cxgb4: fix null pointer dereference on alloc_skb failure

On Saturday, April 04/13/19, 2019 at 21:30:26 +0530, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> Currently if alloc_skb fails to allocate the skb a null skb is passed
> to t4_set_arp_err_handler and this ends up dereferencing the null skb.
> Avoid the null pointer dereference by checking for a null skb and
> returning early.
>
> Addresses-Coverity: ("Dereference null return")
> Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
> Signed-off-by: Colin Ian King <[email protected]>
> ---
> drivers/infiniband/hw/cxgb4/cm.c | 2 ++
> 1 file changed, 2 insertions(+)
>

Thanks,
Acked-by: Potnuri Bharat Teja <[email protected]>

2019-04-16 11:08:48

by Jason Gunthorpe

[permalink] [raw]
Subject: Re: [PATCH] RDMA/cxgb4: fix null pointer dereference on alloc_skb failure

On Sat, Apr 13, 2019 at 05:00:26PM +0100, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> Currently if alloc_skb fails to allocate the skb a null skb is passed
> to t4_set_arp_err_handler and this ends up dereferencing the null skb.
> Avoid the null pointer dereference by checking for a null skb and
> returning early.
>
> Addresses-Coverity: ("Dereference null return")
> Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
> Signed-off-by: Colin Ian King <[email protected]>
> Acked-by: Potnuri Bharat Teja <[email protected]>
> ---
> drivers/infiniband/hw/cxgb4/cm.c | 2 ++
> 1 file changed, 2 insertions(+)

Applied to for-next

Thanks,
Jason