kmalloc_array() is called to allocate memory for tx->descp. If it fails,
the function __sdma_txclean() is called:
__sdma_txclean(dd, tx);
However, in the function __sdma_txclean(), tx-descp is dereferenced if
tx->num_desc is not zero:
sdma_unmap_desc(dd, &tx->descp[0]);
To fix this possible null-pointer dereference, assign 0 to tx->num_desc if
kmalloc_array() returns NULL.
Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
Signed-off-by: Tuo Li <islituo@xxxxxxxxx>
---
drivers/infiniband/hw/hfi1/sdma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
index eb15c310d63d..00e29c3dfe96 100644
--- a/drivers/infiniband/hw/hfi1/sdma.c
+++ b/drivers/infiniband/hw/hfi1/sdma.c
@@ -3079,8 +3079,10 @@ static int _extend_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
MAX_DESC,
sizeof(struct sdma_desc),
GFP_ATOMIC);
- if (!tx->descp)
+ if (!tx->descp) {
+ tx->num_desc = 0;
goto enomem;
+ }
/* reserve last descriptor for coalescing */
tx->desc_limit = MAX_DESC - 1;
--
2.25.1
