On Sun, Jun 24, 2018 at 01:57:51PM -0600, Jason Gunthorpe wrote: > On Sun, Jun 24, 2018 at 11:23:47AM +0300, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@xxxxxxxxxxxx> > > > > Number of specs is provided by user and in valid case can be equal to zero. > > Such argument causes to call to kcalloc() with zero-length request and in > > return the ZERO_SIZE_PTR is assigned. This pointer is different from NULL > > and makes various if (..) checks to success. > > The one seems really weird. There is nothing wrong with ZERO_SIZE_PTR, > but this description and fix suggest that something did > > ptr = kalloc(0); > ptr[0] = ...; > > Which is not allowed of course. Doesn't this mean there is also a > missing range check someplace? I don't know, this issue was found during code review of ib_uvrebs_ex_create_flow(), may or may not be real issue. Thanks > > Jason
Attachment:
signature.asc
Description: PGP signature
