On Mon, Mar 18, 2019 at 05:18:51PM -0500, Aditya Pakki wrote: > idr_find() can return a NULL value to 'flow' which is used without a check. > The patch adds a check to avoid potential NULL pointer dereference. > > Signed-off-by: Aditya Pakki <pakki001@xxxxxxx> > --- > drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > index 5cf5f2a9d51f..3df468acdffc 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c > @@ -226,6 +226,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, > rcu_read_lock(); > flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); > rcu_read_unlock(); > + if (!flow) > + return -EINVAL; It is wrong and whole function is wrong too. In such case, you will leak "buf" allocated above. The function mlx5_fpga_sbu_conn_sendmsg() which is used below can fail and it will leave "buf" unfreed too. Thanks > mlx5_fpga_tls_flow_to_cmd(flow, cmd); > > MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); > -- > 2.17.1 >
Attachment:
signature.asc
Description: PGP signature
