On Fri, Aug 06, 2021 at 06:30:29AM -0700, Tuo Li wrote:
> kmalloc_array() is called to allocate memory for tx->descp. If it fails,
> the function __sdma_txclean() is called:
> __sdma_txclean(dd, tx);
>
> However, in the function __sdma_txclean(), tx-descp is dereferenced if
> tx->num_desc is not zero:
> sdma_unmap_desc(dd, &tx->descp[0]);
>
> To fix this possible null-pointer dereference, assign the return value of
> kmalloc_array() to a local variable descp, and then assign it to tx->descp
> if it is not NULL. Otherwise, go to enomem.
>
> Fixes: 7724105686e7 ("IB/hfi1: add driver files")
> Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
> Signed-off-by: Tuo Li <islituo@xxxxxxxxx>
> Tested-by: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxxxxxxxxxxxxx>
> Acked-by: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxxxxxxxxxxxxx>
> ---
> v3:
> * Add fixes line.
> Thank Jason Gunthorpe for helpful advice.
> v2:
> * Assign the return value of kmalloc_array() to a local variable and then
> check it instead of assigning 0 to tx->num_desc when memory allocation
> fails.
> Thank Mike Marciniszyn for helpful advice.
> ---
> drivers/infiniband/hw/hfi1/sdma.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
I fixed the wonky code formatting and applied to for-rc, thanks
Jason
