Message ID | 20180624082353.16138-7-leon@kernel.org |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Series | RDMA fixes 2018-06-24 | expand |
On Sun, Jun 24, 2018 at 11:23:47AM +0300, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@mellanox.com> > > Number of specs is provided by user and in valid case can be equal to zero. > Such argument causes to call to kcalloc() with zero-length request and in > return the ZERO_SIZE_PTR is assigned. This pointer is different from NULL > and makes various if (..) checks to success. The one seems really weird. There is nothing wrong with ZERO_SIZE_PTR, but this description and fix suggest that something did ptr = kalloc(0); ptr[0] = ...; Which is not allowed of course. Doesn't this mean there is also a missing range check someplace? Jason
On Sun, Jun 24, 2018 at 01:57:51PM -0600, Jason Gunthorpe wrote: > On Sun, Jun 24, 2018 at 11:23:47AM +0300, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@mellanox.com> > > > > Number of specs is provided by user and in valid case can be equal to zero. > > Such argument causes to call to kcalloc() with zero-length request and in > > return the ZERO_SIZE_PTR is assigned. This pointer is different from NULL > > and makes various if (..) checks to success. > > The one seems really weird. There is nothing wrong with ZERO_SIZE_PTR, > but this description and fix suggest that something did > > ptr = kalloc(0); > ptr[0] = ...; > > Which is not allowed of course. Doesn't this mean there is also a > missing range check someplace? I don't know, this issue was found during code review of ib_uvrebs_ex_create_flow(), may or may not be real issue. Thanks > > Jason
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index 3aba63aa1779..8ed4b674416f 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2768,6 +2768,9 @@ static struct ib_uflow_resources *flow_resources_alloc(size_t num_specs) if (!resources) return NULL; + if (!num_specs) + goto out; + resources->counters = kcalloc(num_specs, sizeof(*resources->counters), GFP_KERNEL); resources->collection = @@ -2776,8 +2779,8 @@ static struct ib_uflow_resources *flow_resources_alloc(size_t num_specs) if (!resources->counters || !resources->collection) goto err; +out: resources->max = num_specs; - return resources; err: