diff mbox series

[linux-next] net/smc: prevent NULL dereference in smc_find_rdma_v2_device_serv()

Message ID 20211018183128.17743-1-tim.gardner@canonical.com (mailing list archive)
State Rejected
Delegated to: Netdev Maintainers
Headers show
Series [linux-next] net/smc: prevent NULL dereference in smc_find_rdma_v2_device_serv() | expand

Checks

Context Check Description
netdev/cover_letter success Single patches do not need cover letters
netdev/fixes_present success Fixes tag not required for -next series
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/module_param success Was 0 now: 0
netdev/build_32bit fail Errors and warnings before: 4 this patch: 4
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Fixes tag looks correct
netdev/checkpatch warning WARNING: line length of 91 exceeds 80 columns
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success No static functions without inline keyword in header files

Commit Message

Tim Gardner Oct. 18, 2021, 6:31 p.m. UTC 
Coverity complains of a possible NULL dereference in smc_find_rdma_v2_device_serv().

1782        smc_v2_ext = smc_get_clc_v2_ext(pclc);
CID 121151 (#1 of 1): Dereference null return value (NULL_RETURNS)
5. dereference: Dereferencing a pointer that might be NULL smc_v2_ext when calling smc_clc_match_eid. [show details]
1783        if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
1784                goto not_found;

Fix this by checking for NULL.

Fixes: e49300a6bf621 ("net/smc: add listen processing for SMC-Rv2")
Cc: Karsten Graul <kgraul@linux.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: linux-s390@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 net/smc/af_smc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Karsten Graul Oct. 19, 2021, 6:33 a.m. UTC | #1 
On 18/10/2021 20:31, Tim Gardner wrote:
> Coverity complains of a possible NULL dereference in smc_find_rdma_v2_device_serv().
> 
> 1782        smc_v2_ext = smc_get_clc_v2_ext(pclc);
> CID 121151 (#1 of 1): Dereference null return value (NULL_RETURNS)
> 5. dereference: Dereferencing a pointer that might be NULL smc_v2_ext when calling smc_clc_match_eid. [show details]
> 1783        if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
> 1784                goto not_found;
> 
> Fix this by checking for NULL.

Hmm that's a fundamental question for me: do we want to make the code checkers happy?
While I understand that those warnings give an uneasy feeling I am not sure
if the code should have additional (unneeded) checks only to avoid them.

In this case all NULL checks are initially done in smc_listen_v2_check(), 
afterwards no more NULL checks are needed. When we would like to add them
then a lot more checks are needed, e.g. 3 times in smc_find_ism_v2_device_serv()
(not sure why coverity does not complain about them, too).

Thoughts?
Tim Gardner Oct. 19, 2021, 11:39 a.m. UTC | #2 
On 10/19/21 12:33 AM, Karsten Graul wrote:
> On 18/10/2021 20:31, Tim Gardner wrote:
>> Coverity complains of a possible NULL dereference in smc_find_rdma_v2_device_serv().
>>
>> 1782        smc_v2_ext = smc_get_clc_v2_ext(pclc);
>> CID 121151 (#1 of 1): Dereference null return value (NULL_RETURNS)
>> 5. dereference: Dereferencing a pointer that might be NULL smc_v2_ext when calling smc_clc_match_eid. [show details]
>> 1783        if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
>> 1784                goto not_found;
>>
>> Fix this by checking for NULL.
> 
> Hmm that's a fundamental question for me: do we want to make the code checkers happy?
> While I understand that those warnings give an uneasy feeling I am not sure
> if the code should have additional (unneeded) checks only to avoid them.
> 

Coverity produces a lot of false positives. I thought this one might be 
legitimate, but if you're comfortable that its not an issue then I'm OK 
with that.

> In this case all NULL checks are initially done in smc_listen_v2_check(),
> afterwards no more NULL checks are needed. When we would like to add them
> then a lot more checks are needed, e.g. 3 times in smc_find_ism_v2_device_serv()
> (not sure why coverity does not complain about them, too).
> 
> Thoughts?
> 

Coverity probably has produced a report from the other call sites if 
you've used a similar pattern, I just hadn't gotten to them yet.

I'll just mark them all as false positives.

rtg
diff mbox series

Patch

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 5e50e007a7da..ff23d5b40793 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1780,7 +1780,7 @@  static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc,
 		goto not_found;
 
 	smc_v2_ext = smc_get_clc_v2_ext(pclc);
-	if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
+	if (!smc_v2_ext || !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
 		goto not_found;
 
 	/* prepare RDMA check */