In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
is allocated to *in and *out, but only the values of in and out are
null-checked (i.e. there is a missing dereference). Fix this.
Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Signed-off-by: Alex Dewar <[email protected]>
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index 3ec44a4f0e45..bcb6600c2839 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(*outlen, GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;
MLX5_SET(qp_2rst_in, *in, opcode, cmd);
@@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;
MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
@@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;
MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
@@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
*outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
*in = kzalloc(*inlen, GFP_KERNEL);
*out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
- if (!in || !out)
+ if (!*in || !*out)
goto outerr;
MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
--
2.28.0
On 2020/8/7 上午3:18, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
> is allocated to *in and *out, but only the values of in and out are
> null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Signed-off-by: Alex Dewar <[email protected]>
Acked-by: Jason Wang <[email protected]>
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd);
> @@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
> @@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
> @@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
On 2020/8/7 上午11:37, Jason Wang wrote:
>
> On 2020/8/7 上午3:18, Alex Dewar wrote:
>> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
>> is allocated to *in and *out, but only the values of in and out are
>> null-checked (i.e. there is a missing dereference). Fix this.
>>
>> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
>> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
>> devices")
>> Signed-off-by: Alex Dewar <[email protected]>
>
>
> Acked-by: Jason Wang <[email protected]>
Colin posted something similar: [PATCH][next] vdpa/mlx5: fix memory
allocation failure checks
And I think his fix is better since it prevent raw pointers to be freed.
Thanks
Acked-by: Eli Cohen <[email protected]>
On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where memory
> is allocated to *in and *out, but only the values of in and out are
> null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Signed-off-by: Alex Dewar <[email protected]>
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd);
> @@ -879,7 +879,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd);
> @@ -896,7 +896,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd);
> @@ -914,7 +914,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> --
> 2.28.0
>
After all this patch is not fixing it all. If we get to default of the switch statement we will free invalid pointer so removing ack-ed by me.
The previous patch by Colin King fixes it.
-----Original Message-----
From: Eli Cohen <[email protected]>
Sent: Sunday, August 9, 2020 8:53 AM
To: Alex Dewar <[email protected]>
Cc: Michael S. Tsirkin <[email protected]>; Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]
Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks
Acked-by: Eli Cohen <[email protected]>
On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> In alloc_inout() in net/mlx5_vnet.c, there are a few places where
> memory is allocated to *in and *out, but only the values of in and out
> are null-checked (i.e. there is a missing dereference). Fix this.
>
> Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
> devices")
> Signed-off-by: Alex Dewar <[email protected]>
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 3ec44a4f0e45..bcb6600c2839 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(*outlen, GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(qp_2rst_in, *in, opcode, cmd); @@ -879,7 +879,7 @@ static
> void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rst2init_qp_in, *in, opcode, cmd); @@ -896,7 +896,7 @@
> static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(init2rtr_qp_in, *in, opcode, cmd); @@ -914,7 +914,7 @@
> static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> *in = kzalloc(*inlen, GFP_KERNEL);
> *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> - if (!in || !out)
> + if (!*in || !*out)
> goto outerr;
>
> MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> --
> 2.28.0
>
On Sun, Aug 09, 2020 at 06:03:00AM +0000, Eli Cohen wrote:
> After all this patch is not fixing it all. If we get to default of the switch statement we will free invalid pointer so removing ack-ed by me.
>
> The previous patch by Colin King fixes it.
Good point, sounds sensible. Thanks for looking my patch over :-)
Alex
>
>
> -----Original Message-----
> From: Eli Cohen <[email protected]>
> Sent: Sunday, August 9, 2020 8:53 AM
> To: Alex Dewar <[email protected]>
> Cc: Michael S. Tsirkin <[email protected]>; Jason Wang <[email protected]>; Parav Pandit <[email protected]>; [email protected]; [email protected]
> Subject: Re: [PATCH] vdpa/mlx5: Fix erroneous null pointer checks
>
> Acked-by: Eli Cohen <[email protected]>
> On Thu, Aug 06, 2020 at 08:18:39PM +0100, Alex Dewar wrote:
> > In alloc_inout() in net/mlx5_vnet.c, there are a few places where
> > memory is allocated to *in and *out, but only the values of in and out
> > are null-checked (i.e. there is a missing dereference). Fix this.
> >
> > Addresses-Coverity: ("CID 1496603: (REVERSE_INULL)")
> > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
> > devices")
> > Signed-off-by: Alex Dewar <[email protected]>
> > ---
> > drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > index 3ec44a4f0e45..bcb6600c2839 100644
> > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > @@ -867,7 +867,7 @@ static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(qp_2rst_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(*outlen, GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(qp_2rst_in, *in, opcode, cmd); @@ -879,7 +879,7 @@ static
> > void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(rst2init_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(rst2init_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(rst2init_qp_in, *in, opcode, cmd); @@ -896,7 +896,7 @@
> > static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(init2rtr_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(init2rtr_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(init2rtr_qp_in, *in, opcode, cmd); @@ -914,7 +914,7 @@
> > static void alloc_inout(struct mlx5_vdpa_net *ndev, int cmd, void **in, int *inl
> > *outlen = MLX5_ST_SZ_BYTES(rtr2rts_qp_out);
> > *in = kzalloc(*inlen, GFP_KERNEL);
> > *out = kzalloc(MLX5_ST_SZ_BYTES(rtr2rts_qp_out), GFP_KERNEL);
> > - if (!in || !out)
> > + if (!*in || !*out)
> > goto outerr;
> >
> > MLX5_SET(rtr2rts_qp_in, *in, opcode, cmd);
> > --
> > 2.28.0
> >