Re: [patch] IB/core: off by one in error handling
On 08/18/2015 05:23 AM, Dan Carpenter wrote: > This is a zero offset array. The current code could try to free random > memory and crash. Also it leaks the first element. > > Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management') > Signed-off-by: Dan CarpenterThis one, however, was not needed after Matan's fixup series was applied. > diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c > index a9d5c70..f5d14a7 100644 > --- a/drivers/infiniband/core/cache.c > +++ b/drivers/infiniband/core/cache.c > @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev) > return 0; > > rollback_table_setup: > - for (port = 1; port <= ib_dev->phys_port_cnt; port++) > + for (port = 0; port < ib_dev->phys_port_cnt; port++) > free_gid_table(ib_dev, port, table[port]); > > kfree(table); > -- Doug Ledford GPG KeyID: 0E572FDD signature.asc Description: OpenPGP digital signature
Re: [patch] IB/core: off by one in error handling
On 08/28/2015 09:18 PM, ira.weiny wrote: On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote: This is a zero offset array. The current code could try to free random memory and crash. Also it leaks the first element. Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management') Signed-off-by: Dan Carpenter dan.carpen...@oracle.com I don't actually see this in Dougs to-be-rebased/for-4.3 tree. Looks like Doug picked up a different version of the patch in the latest rebase. annotating cache.c I see a different change from Matan in commit 76680c1cfc5ab +rollback_table_setup: + for (port = 0; port ib_dev-phys_port_cnt; port++) { + cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev), + table[port]); + release_gid_table(table[port]); + } Ira Correct, so I dropped this patch. diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index a9d5c70..f5d14a7 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev) return 0; rollback_table_setup: -for (port = 1; port = ib_dev-phys_port_cnt; port++) +for (port = 0; port ib_dev-phys_port_cnt; port++) free_gid_table(ib_dev, port, table[port]); kfree(table); -- To unsubscribe from this list: send the line unsubscribe linux-rdma in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -- Doug Ledford dledf...@redhat.com GPG KeyID: 0E572FDD signature.asc Description: OpenPGP digital signature
Re: [patch] IB/core: off by one in error handling
On Tue, Aug 18, 2015 at 12:23:17PM +0300, Dan Carpenter wrote: This is a zero offset array. The current code could try to free random memory and crash. Also it leaks the first element. Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management') Signed-off-by: Dan Carpenter dan.carpen...@oracle.com I don't actually see this in Dougs to-be-rebased/for-4.3 tree. Looks like Doug picked up a different version of the patch in the latest rebase. annotating cache.c I see a different change from Matan in commit 76680c1cfc5ab +rollback_table_setup: + for (port = 0; port ib_dev-phys_port_cnt; port++) { + cleanup_gid_table_port(ib_dev, port + rdma_start_port(ib_dev), + table[port]); + release_gid_table(table[port]); + } Ira diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index a9d5c70..f5d14a7 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev) return 0; rollback_table_setup: - for (port = 1; port = ib_dev-phys_port_cnt; port++) + for (port = 0; port ib_dev-phys_port_cnt; port++) free_gid_table(ib_dev, port, table[port]); kfree(table); -- To unsubscribe from this list: send the line unsubscribe linux-rdma in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[patch] IB/core: off by one in error handling
This is a zero offset array. The current code could try to free random memory and crash. Also it leaks the first element. Fixes: 230145ff8124 ('IB/core: Add RoCE GID table management') Signed-off-by: Dan Carpenter dan.carpen...@oracle.com diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index a9d5c70..f5d14a7 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -582,7 +582,7 @@ static int _gid_table_setup_one(struct ib_device *ib_dev) return 0; rollback_table_setup: - for (port = 1; port = ib_dev-phys_port_cnt; port++) + for (port = 0; port ib_dev-phys_port_cnt; port++) free_gid_table(ib_dev, port, table[port]); kfree(table); -- To unsubscribe from this list: send the line unsubscribe linux-rdma in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html