2022-11-16 22:43:14

by Alex Elder

[permalink] [raw]
Subject: [PATCH net-next] net: ipa: avoid a null pointer dereference

Dan Carpenter reported that Smatch found an instance where a pointer
which had previously been assumed could be null (as indicated by a
null check) was later dereferenced without a similar check.

In practice this doesn't lead to a problem because currently the
pointers used are all non-null. Nevertheless this patch addresses
the reported problem.

In addition, I spotted another bug that arose in the same commit.
When the command to initialize a routing table memory region was
added, the number of entries computed for the non-hashed table
was wrong (it ended up being a Boolean rather than the count
intended). This bug is fixed here as well.

Reported-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/kernel-janitors/Y3OOP9dXK6oEydkf@kili
Tested-by: Caleb Connolly <[email protected]>
Fixes: 5cb76899fb47 ("net: ipa: reduce arguments to ipa_table_init_add()")
Signed-off-by: Alex Elder <[email protected]>
---
Note: This does *not* need to be back-ported (it applies to net-next).

drivers/net/ipa/ipa_table.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ipa/ipa_table.c b/drivers/net/ipa/ipa_table.c
index cc9349a1d4df9..b81e27b613549 100644
--- a/drivers/net/ipa/ipa_table.c
+++ b/drivers/net/ipa/ipa_table.c
@@ -382,6 +382,7 @@ static void ipa_table_init_add(struct gsi_trans *trans, bool filter, bool ipv6)
const struct ipa_mem *mem;
dma_addr_t hash_addr;
dma_addr_t addr;
+ u32 hash_offset;
u32 zero_offset;
u16 hash_count;
u32 zero_size;
@@ -394,8 +395,10 @@ static void ipa_table_init_add(struct gsi_trans *trans, bool filter, bool ipv6)
: ipv6 ? IPA_CMD_IP_V6_ROUTING_INIT
: IPA_CMD_IP_V4_ROUTING_INIT;

+ /* The non-hashed region will exist (see ipa_table_mem_valid()) */
mem = ipa_table_mem(ipa, filter, false, ipv6);
hash_mem = ipa_table_mem(ipa, filter, true, ipv6);
+ hash_offset = hash_mem ? hash_mem->offset : 0;

/* Compute the number of table entries to initialize */
if (filter) {
@@ -411,7 +414,7 @@ static void ipa_table_init_add(struct gsi_trans *trans, bool filter, bool ipv6)
* of entries it has.
*/
count = mem->size / sizeof(__le64);
- hash_count = hash_mem && hash_mem->size / sizeof(__le64);
+ hash_count = hash_mem ? hash_mem->size / sizeof(__le64) : 0;
}
size = count * sizeof(__le64);
hash_size = hash_count * sizeof(__le64);
@@ -420,7 +423,7 @@ static void ipa_table_init_add(struct gsi_trans *trans, bool filter, bool ipv6)
hash_addr = ipa_table_addr(ipa, filter, hash_count);

ipa_cmd_table_init_add(trans, opcode, size, mem->offset, addr,
- hash_size, hash_mem->offset, hash_addr);
+ hash_size, hash_offset, hash_addr);
if (!filter)
return;

@@ -433,7 +436,7 @@ static void ipa_table_init_add(struct gsi_trans *trans, bool filter, bool ipv6)
return;

/* Zero the unused space in the hashed filter table */
- zero_offset = hash_mem->offset + hash_size;
+ zero_offset = hash_offset + hash_size;
zero_size = hash_mem->size - hash_size;
ipa_cmd_dma_shared_mem_add(trans, zero_offset, zero_size,
ipa->zero_addr, true);
--
2.34.1



2022-11-18 12:12:58

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH net-next] net: ipa: avoid a null pointer dereference

Hello:

This patch was applied to netdev/net-next.git (master)
by David S. Miller <[email protected]>:

On Wed, 16 Nov 2022 16:37:18 -0600 you wrote:
> Dan Carpenter reported that Smatch found an instance where a pointer
> which had previously been assumed could be null (as indicated by a
> null check) was later dereferenced without a similar check.
>
> In practice this doesn't lead to a problem because currently the
> pointers used are all non-null. Nevertheless this patch addresses
> the reported problem.
>
> [...]

Here is the summary with links:
- [net-next] net: ipa: avoid a null pointer dereference
https://git.kernel.org/netdev/net-next/c/15b4f993d12b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html