IB/core: off by one in error handling

Message ID	20150818092317.GF3965@mwanda (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <linux-rdma-owner@kernel.org> Date: Tue, 18 Aug 2015 12:23:17 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Doug Ledford <dledford@redhat.com>, Matan Barak <matanb@mellanox.com> Cc: Sean Hefty <sean.hefty@intel.com>, Hal Rosenstock <hal.rosenstock@gmail.com>, Jason Gunthorpe <jgunthorpe@obsidianresearch.com>, Ira Weiny <ira.weiny@intel.com>, Haggai Eran <haggaie@mellanox.com>, Moni Shoua <monis@mellanox.com>, linux-rdma@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] IB/core: off by one in error handling Message-ID: <20150818092317.GF3965@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk

Message ID

20150818092317.GF3965@mwanda (mailing list archive)

State

Not Applicable

Headers

Date: Tue, 18 Aug 2015 12:23:17 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Doug Ledford <dledford@redhat.com>,
	Matan Barak <matanb@mellanox.com>
Cc: Sean Hefty <sean.hefty@intel.com>,
	Hal Rosenstock <hal.rosenstock@gmail.com>,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	Ira Weiny <ira.weiny@intel.com>, Haggai Eran <haggaie@mellanox.com>,
	Moni Shoua <monis@mellanox.com>, linux-rdma@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] IB/core: off by one in error handling
Message-ID: <20150818092317.GF3965@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Aug. 18, 2015, 9:23 a.m. UTC

This is a zero offset array.  The current code could try to free random
memory and crash.  Also it leaks the first element.

Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Ira Weiny Aug. 29, 2015, 1:18 a.m. UTC | #1

On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
> This is a zero offset array.  The current code could try to free random
> memory and crash.  Also it leaks the first element.
> 
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

I don't actually see this in Dougs to-be-rebased/for-4.3 tree.

Looks like Doug picked up a different version of the patch in the latest
rebase.

annotating cache.c I see a different change from Matan in commit

76680c1cfc5ab

+rollback_table_setup:
+       for (port = 0; port < ib_dev->phys_port_cnt; port++) {
+               cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
+                                      table[port]);
+               release_gid_table(table[port]);
+       }

Ira

> 
> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>  	return 0;
>  
>  rollback_table_setup:
> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>  		free_gid_table(ib_dev, port, table[port]);
>  
>  	kfree(table);
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Doug Ledford Aug. 29, 2015, 3:59 a.m. UTC | #2

On 08/28/2015 09:18 PM, ira.weiny wrote:
> On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote:
>> This is a zero offset array.  The current code could try to free random
>> memory and crash.  Also it leaks the first element.
>>
>> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> I don't actually see this in Dougs to-be-rebased/for-4.3 tree.
> 
> Looks like Doug picked up a different version of the patch in the latest
> rebase.
> 
> annotating cache.c I see a different change from Matan in commit
> 
> 76680c1cfc5ab
> 
> +rollback_table_setup:
> +       for (port = 0; port < ib_dev->phys_port_cnt; port++) {
> +               cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev),
> +                                      table[port]);
> +               release_gid_table(table[port]);
> +       }
> 
> Ira

Correct, so I dropped this patch.

>>
>> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
>> index a9d5c70..f5d14a7 100644
>> --- a/drivers/infiniband/core/cache.c
>> +++ b/drivers/infiniband/core/cache.c
>> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>>  	return 0;
>>  
>>  rollback_table_setup:
>> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
>> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>>  		free_gid_table(ib_dev, port, table[port]);
>>  
>>  	kfree(table);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Doug Ledford Sept. 3, 2015, 5:39 p.m. UTC | #3

On 08/18/2015 05:23 AM, Dan Carpenter wrote:
> This is a zero offset array.  The current code could try to free random
> memory and crash.  Also it leaks the first element.
> 
> Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

This one, however, was not needed after Matan's fixup series was applied.

> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index a9d5c70..f5d14a7 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev)
>  	return 0;
>  
>  rollback_table_setup:
> -	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
> +	for (port = 0; port < ib_dev->phys_port_cnt; port++)
>  		free_gid_table(ib_dev, port, table[port]);
>  
>  	kfree(table);
>

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index a9d5c70..f5d14a7 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -582,7 +582,7 @@  static int _gid_table_setup_one(struct ib_device *ib_dev)
 	return 0;
 
 rollback_table_setup:
-	for (port = 1; port <= ib_dev->phys_port_cnt; port++)
+	for (port = 0; port < ib_dev->phys_port_cnt; port++)
 		free_gid_table(ib_dev, port, table[port]);
 
 	kfree(table);

IB/core: off by one in error handling

Commit Message

Comments

Patch