Message ID | 20241030132352.154488-1-islituo@gmail.com (mailing list archive) |
---|---|
State | New |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | chcr_ktls: fix a possible null-pointer dereference in chcr_ktls_dev_add() | expand |
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c index e8e460a92e0e..524c8e032bc8 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c @@ -577,7 +577,8 @@ static int chcr_ktls_dev_add(struct net_device *netdev, struct sock *sk, cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan, tx_info->tid, tx_info->ip_family); - xa_erase(&u_ctx->tid_list, tx_info->tid); + if (u_ctx) + xa_erase(&u_ctx->tid_list, tx_info->tid); put_module: /* release module refcount */
There is a possible null-pointer dereference related to the wait-completion synchronization mechanism in the function chcr_ktls_dev_add(). Consider the following execution scenario: chcr_ktls_cpl_act_open_rpl() //641 u_ctx = adap->uld[CXGB4_ULD_KTLS].handle; //686 if (u_ctx) { //687 complete(&tx_info->completion); //704 The variable u_ctx is checked by an if statement at Line 687, which means it can be NULL. Then, complete() is called at Line 704, which will wake up wait_for_completion_xxx(). Consider the wait_for_completion_timeout() in chcr_ktls_dev_add(): chcr_ktls_dev_add() //412 u_ctx = adap->uld[CXGB4_ULD_KTLS].handle; //432 wait_for_completion_timeout(&tx_info->completion, 30 * HZ); //551 xa_erase(&u_ctx->tid_list, tx_info->tid); //580 The variable u_ctx is dereferenced without being rechecked at Line 580 after the wait_for_completion_timeout(), which can introduce a null-pointer dereference. Besides, the variable u_ctx is also checked at Line 442 in chcr_ktls_dev_add(), which indicates that u_ctx is likely to be NULL in some execution contexts. To fix this possible null-pointer dereference, a NULL check is put ahead of the call to xa_erase(). This potential bug was discovered using an experimental static analysis tool developed by our team. The tool deduces complete() and wait_for_completion() pairs using alias analysis. It then applies data flow analysis to detect null-pointer dereferences across synchronization points. Fixes: 65e302a9bd57 ("cxgb4/ch_ktls: Clear resources when pf4 device is removed") Signed-off-by: Tuo Li <islituo@gmail.com> --- drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)