On Fri, Aug 06, 2021 at 01:39:53AM -0700, Tuo Li wrote: > kmalloc_array() is called to allocate memory for tx->descp. If it fails, > the function __sdma_txclean() is called: > __sdma_txclean(dd, tx); > > However, in the function __sdma_txclean(), tx-descp is dereferenced if > tx->num_desc is not zero: > sdma_unmap_desc(dd, &tx->descp[0]); > > To fix this possible null-pointer dereference, assign the return value of > kmalloc_array() to a local variable descp, and then assign it to tx->descp > if it is not NULL. Otherwise, go to enomem. > > Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx> > Signed-off-by: Tuo Li <islituo@xxxxxxxxx> > --- > v2: > * Assign the return value of kmalloc_array() to a local variable and then > check it instead of assigning 0 to tx->num_desc when memory allocation > fails. > Thank Mike Marciniszyn for helpful advice. > --- > drivers/infiniband/hw/hfi1/sdma.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) Fixes line? Jason
