| Message ID | 1465157636-10120-1-git-send-email-sudipm.mukherjee@gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Sun, Jun 05, 2016 at 09:13:55PM +0100, Sudip Mukherjee wrote: > If stats->names is NULL or stats->num_counters <= 0 we are jumping to > the error path where the for loop is freeing hsag->attrs[i]. But as i > is initialized to 0 so i >= 0 will be true and the loop will execute > once trying to free hsag->attrs[0]. But hsag is NULL still now leading > to a NULL pointer dereference. > > Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Thanks, Reviewed-by: Leon Romanovsky <leonro@mellanox.com> > --- > drivers/infiniband/core/sysfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c > index 5e573bb..fcf6f9c 100644 > --- a/drivers/infiniband/core/sysfs.c > +++ b/drivers/infiniband/core/sysfs.c > @@ -891,7 +891,7 @@ static void setup_hw_stats(struct ib_device *device, struct ib_port *port, > { > struct attribute_group *hsag = NULL; > struct rdma_hw_stats *stats; > - int i = 0, ret; > + int i = -1, ret; > > stats = device->alloc_hw_stats(device, port_num); > > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On 6/5/2016 4:13 PM, Sudip Mukherjee wrote: > If stats->names is NULL or stats->num_counters <= 0 we are jumping to > the error path where the for loop is freeing hsag->attrs[i]. But as i > is initialized to 0 so i >= 0 will be true and the loop will execute > once trying to free hsag->attrs[0]. But hsag is NULL still now leading > to a NULL pointer dereference. > > Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> > --- > drivers/infiniband/core/sysfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c > index 5e573bb..fcf6f9c 100644 > --- a/drivers/infiniband/core/sysfs.c > +++ b/drivers/infiniband/core/sysfs.c > @@ -891,7 +891,7 @@ static void setup_hw_stats(struct ib_device *device, struct ib_port *port, > { > struct attribute_group *hsag = NULL; > struct rdma_hw_stats *stats; > - int i = 0, ret; > + int i = -1, ret; > > stats = device->alloc_hw_stats(device, port_num); > > This issue was fixed in a different way and this patch is no longer applicable.
diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c index 5e573bb..fcf6f9c 100644 --- a/drivers/infiniband/core/sysfs.c +++ b/drivers/infiniband/core/sysfs.c @@ -891,7 +891,7 @@ static void setup_hw_stats(struct ib_device *device, struct ib_port *port, { struct attribute_group *hsag = NULL; struct rdma_hw_stats *stats; - int i = 0, ret; + int i = -1, ret; stats = device->alloc_hw_stats(device, port_num);
If stats->names is NULL or stats->num_counters <= 0 we are jumping to the error path where the for loop is freeing hsag->attrs[i]. But as i is initialized to 0 so i >= 0 will be true and the loop will execute once trying to free hsag->attrs[0]. But hsag is NULL still now leading to a NULL pointer dereference. Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> --- drivers/infiniband/core/sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)