Return value of a function 'alloc_wr' is dereferenced at cxgb4i.c:624
without checking for null, but it is usually checked for this function
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Arefev <[email protected]>
---
drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
index 2c3491528d42..b93bd36dcb2d 100644
--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
@@ -620,6 +620,8 @@ static inline int send_tx_flowc_wr(struct cxgbi_sock *csk)
#endif
flowclen16 = tx_flowc_wr_credits(&nparams, &flowclen);
skb = alloc_wr(flowclen, 0, GFP_ATOMIC);
+ if (!skb)
+ return -ENOMEM;
flowc = (struct fw_flowc_wr *)skb->head;
flowc->op_to_nparams =
htonl(FW_WR_OP_V(FW_FLOWC_WR) | FW_FLOWC_WR_NPARAMS_V(nparams));
--
2.25.1
Replace Karen with Varun.
On 11/18/22 6:17 AM, Denis Arefev wrote:
> Return value of a function 'alloc_wr' is dereferenced at cxgb4i.c:624
> without checking for null, but it is usually checked for this function
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Denis Arefev <[email protected]>
> ---
> drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> index 2c3491528d42..b93bd36dcb2d 100644
> --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> @@ -620,6 +620,8 @@ static inline int send_tx_flowc_wr(struct cxgbi_sock *csk)
> #endif
> flowclen16 = tx_flowc_wr_credits(&nparams, &flowclen);
> skb = alloc_wr(flowclen, 0, GFP_ATOMIC);
> + if (!skb)
> + return -ENOMEM;
If this returns a negative value push_tx_frames is going to mishandle it.
I'm not sure how to best handle the failure there, but I cc'd the correct
maintainer, Varun.
>> Return value of a function 'alloc_wr' is dereferenced at cxgb4i.c:624
>> without checking for null, but it is usually checked for this function
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Signed-off-by: Denis Arefev <[email protected]>
>> ---
>> drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
>> index 2c3491528d42..b93bd36dcb2d 100644
>> --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
>> +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
>> @@ -620,6 +620,8 @@ static inline int send_tx_flowc_wr(struct cxgbi_sock *csk)
>> #endif
>> flowclen16 = tx_flowc_wr_credits(&nparams, &flowclen);
>> skb = alloc_wr(flowclen, 0, GFP_ATOMIC);
>> + if (!skb)
>> + return -ENOMEM;
>
>If this returns a negative value push_tx_frames is going to mishandle it.
>I'm not sure how to best handle the failure there, but I cc'd the correct
>maintainer, Varun.
push_tx_frames() can not handle negative return value from send_tx_flowc_wr(),
to fix this issue we can preallocate a skb in alloc_cpls() and use this skb in send_tx_flowc_wr().