2020-08-06 19:28:14

by Alex Dewar

[permalink] [raw]
Subject: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks

In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
is allocated to *in and *out, but only the values of in and out are
null-checked (i.e. there is a missing dereference). Fix this.

Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Signed-off-by: Alex Dewar <[email protected]>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 3ec44a4f0e45..bcb6600c2839 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(*outlen, GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;

MLX5_SET(qp_2rst_in, *in, opcode, cmd);
@@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;

MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
@@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;

MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
@@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;

MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
--
2.28.0


2020-08-07 03:38:53

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks


On 2020/8/7 上午3:18, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
> is allocated to *in and *out, but only the values of in and out are
> null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Signed-off-by: Alex Dewar <[email protected]>


Acked-by: Jason Wang <[email protected]>


> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd);
> @@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
> @@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
> @@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);

2020-08-07 04:01:26

by Jason Wang

[permalink] [raw]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks


On 2020/8/7 上午11:37, Jason Wang wrote:
>
> On 2020/8/7 上午3:18, Alex Dewar wrote:
>> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
>> is allocated to *in and *out, but only the values of in and out are
>> null-checked (i.e. there is a missing dereference). Fix this.
>>
>> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
>> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
>> devices")
>> Signed-off-by: Alex Dewar <[email protected]>
>
>
> Acked-by: Jason Wang <[email protected]>


Colin posted something similar: [PATCH][next] vdpa/mlx5: fix memory
allocation failure checks

And I think his fix is better since it prevent raw pointers to be freed.

Thanks

2020-08-09 05:57:50

by Eli Cohen

[permalink] [raw]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks

Acked-by: Eli Cohen <[email protected]>
On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
> is allocated to *in and *out, but only the values of in and out are
> null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Signed-off-by: Alex Dewar <[email protected]>
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd);
> @@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
> @@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
> @@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> --
> 2.28.0
>

2020-08-09 06:04:49

by Eli Cohen

[permalink] [raw]
Subject: RE: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks

After all this patch is not fixing it all. If we get to default of the switch statement we will free invalid pointer so removing ack-ed by me.

The previous patch by Colin King fixes it.


-----Original Message-----
From: Eli Cohen <[email protected]>
Sent: Sunday, August 9, 2020 8:53 AM
To: Alex Dewar <[email protected]>
Cc: Michael S. Tsirkin <[email protected]>; Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks

Acked-by: Eli Cohen <[email protected]>
On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where
> memory is allocated to *in and *out, but only the values of in and out
> are null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
> devices")
> Signed-off-by: Alex Dewar <[email protected]>
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd); @@ -879,7 +879,7 @@ static
> void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd); @@ -896,7 +896,7 @@
> static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd); @@ -914,7 +914,7 @@
> static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> --
> 2.28.0
>

2020-08-09 16:22:39

by Alex Dewar

[permalink] [raw]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks

On Sun, Aug 09, 2020 at 06:03:00AM +0000, Eli Cohen wrote:
> After all this patch is not fixing it all. If we get to default of the switch statement we will free invalid pointer so removing ack-ed by me.
>
> The previous patch by Colin King fixes it.

Good point, sounds sensible. Thanks for looking my patch over :-)

Alex

>
>
> -----Original Message-----
> From: Eli Cohen <[email protected]>
> Sent: Sunday, August 9, 2020 8:53 AM
> To: Alex Dewar <[email protected]>
> Cc: Michael S. Tsirkin <[email protected]>; Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]
> Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks
>
> Acked-by: Eli Cohen <[email protected]>
> On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> > In alloc_inout() in net/mlx5_vnet.c, there are a few places where
> > memory is allocated to *in and *out, but only the values of in and out
> > are null-checked (i.e. there is a missing dereference). Fix this.
> >
> > Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
> > devices")
> > Signed-off-by: Alex Dewar <[email protected]>
> > ---
> > drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > index 3ec44a4f0e45..bcb6600c2839 100644
> > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(*outlen, GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(qp_2rst_in, *in, opcode, cmd); @@ -879,7 +879,7 @@ static
> > void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(rst2init_qp_in, *in, opcode, cmd); @@ -896,7 +896,7 @@
> > static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(init2rtr_qp_in, *in, opcode, cmd); @@ -914,7 +914,7 @@
> > static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> > --
> > 2.28.0
> >