| From e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 Mon Sep 17 00:00:00 2001 |
| From: Zhou Qingyang <zhou1615@umn.edu> |
| Date: Tue, 30 Nov 2021 19:08:48 +0800 |
| Subject: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() |
| |
| From: Zhou Qingyang <zhou1615@umn.edu> |
| |
| commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream. |
| |
| In qlcnic_83xx_add_rings(), the indirect function of |
| ahw->hw_ops->alloc_mbx_args will be called to allocate memory for |
| cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), |
| which could lead to a NULL pointer dereference on failure of the |
| indirect function like qlcnic_83xx_alloc_mbx_args(). |
| |
| Fix this bug by adding a check of alloc_mbx_args(), this patch |
| imitates the logic of mbx_cmd()'s failure handling. |
| |
| This bug was found by a static analyzer. The analysis employs |
| differential checking to identify inconsistent security operations |
| (e.g., checks or kfrees) between two code paths and confirms that the |
| inconsistent operations are not recovered in the current function or |
| the callers, so they constitute bugs. |
| |
| Note that, as a bug found by static analysis, it can be a false |
| positive or hard to trigger. Multiple researchers have cross-reviewed |
| the bug. |
| |
| Builds with CONFIG_QLCNIC=m show no new warnings, and our |
| static analyzer no longer warns about this code. |
| |
| Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine") |
| Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> |
| Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c |
| +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c |
| @@ -1076,8 +1076,14 @@ static int qlcnic_83xx_add_rings(struct |
| sds_mbx_size = sizeof(struct qlcnic_sds_mbx); |
| context_id = recv_ctx->context_id; |
| num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS; |
| - ahw->hw_ops->alloc_mbx_args(&cmd, adapter, |
| - QLCNIC_CMD_ADD_RCV_RINGS); |
| + err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter, |
| + QLCNIC_CMD_ADD_RCV_RINGS); |
| + if (err) { |
| + dev_err(&adapter->pdev->dev, |
| + "Failed to alloc mbx args %d\n", err); |
| + return err; |
| + } |
| + |
| cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16); |
| |
| /* set up status rings, mbx 2-81 */ |