diff mbox series

[next] i40iw: fix null pointer dereference on a null wqe pointer

Message ID 20200401224921.405279-1-colin.king@canonical.com (mailing list archive)
State Mainlined
Commit f70968f05de4e7c24d839ca0d3e40f17c8024498
Delegated to: Jason Gunthorpe
Headers show
Series [next] i40iw: fix null pointer dereference on a null wqe pointer | expand

Commit Message

Colin King April 1, 2020, 10:49 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

Currently the null check for wqe is incorrect and lets a null wqe
be passed to set_64bit_val and this indexes into the null pointer
causing a null pointer dereference.  Fix this by fixing the null
pointer check to return an error if wqe is null.

Addresses-Coverity: ("dereference after a null check")
Fixes: 4b34e23f4eaa ("i40iw: Report correct firmware version")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Shiraz Saleem April 1, 2020, 11:40 p.m. UTC | #1 
> Subject: [PATCH][next] i40iw: fix null pointer dereference on a null wqe pointer
> 
> From: Colin Ian King <colin.king@canonical.com>
> 
> Currently the null check for wqe is incorrect and lets a null wqe be passed to
> set_64bit_val and this indexes into the null pointer causing a null pointer
> dereference.  Fix this by fixing the null pointer check to return an error if wqe is
> null.
> 
> Addresses-Coverity: ("dereference after a null check")
> Fixes: 4b34e23f4eaa ("i40iw: Report correct firmware version")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Ugh! Yes. That’s a bad one. Thanks for the fix.

Acked-by: Shiraz Saleem <shiraz.saleem@intel.com>
Jason Gunthorpe April 14, 2020, 6:51 p.m. UTC | #2 
On Wed, Apr 01, 2020 at 11:49:21PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Currently the null check for wqe is incorrect and lets a null wqe
> be passed to set_64bit_val and this indexes into the null pointer
> causing a null pointer dereference.  Fix this by fixing the null
> pointer check to return an error if wqe is null.
> 
> Addresses-Coverity: ("dereference after a null check")
> Fixes: 4b34e23f4eaa ("i40iw: Report correct firmware version")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> Acked-by: Shiraz Saleem <shiraz.saleem@intel.com>
> ---
>  drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied to for-rc, thanks

Jason
diff mbox series

Patch

diff --git a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
index e8b4b3743661..688f19667221 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c
@@ -1046,7 +1046,7 @@  i40iw_sc_query_rdma_features(struct i40iw_sc_cqp *cqp,
 	u64 header;
 
 	wqe = i40iw_sc_cqp_get_next_send_wqe(cqp, scratch);
-	if (wqe)
+	if (!wqe)
 		return I40IW_ERR_RING_FULL;
 
 	set_64bit_val(wqe, 32, feat_mem->pa);