From: Varun Prakash <varun@chelsio.com>
To: Colin King <colin.king@canonical.com>
Cc: "James E . J . Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scsi: csiostor: avoid null pointer dereference on card_fw allocation failure
Date: Thu, 02 Aug 2018 14:54:09 +0000 [thread overview]
Message-ID: <20180802145339.GA1671@chelsio.com> (raw)
In-Reply-To: <20180801161743.22301-1-colin.king@canonical.com>
On Wed, Aug 01, 2018 at 05:17:43PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> Currently if card_fw fails to be allocated then a null pointer
> dereference occurs on card_fd when calling csio_hw_prep_fw. Fix this
> by checking for a failed allocation and returning -ENOMEM.
>
> Detected by CoverityScan, CID#1271213 ("Dereference null return value")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/scsi/csiostor/csio_hw.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
> index a10cf25ee7f9..aa637e9ea9ba 100644
> --- a/drivers/scsi/csiostor/csio_hw.c
> +++ b/drivers/scsi/csiostor/csio_hw.c
> @@ -2275,8 +2275,8 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info,
> }
>
> /*
> - * Returns -EINVAL if attempts to flash the firmware failed
> - * else returns 0,
> + * Returns -EINVAL if attempts to flash the firmware failed,
> + * -ENOMEM if allocation failed, else returns 0,
> * if flashing was not attempted because the card had the
> * latest firmware ECANCELED is returned
> */
> @@ -2321,6 +2321,8 @@ csio_hw_flash_fw(struct csio_hw *hw, int *reset)
> * card
> */
> card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
> + if (!card_fw)
> + return -ENOMEM;
>
> /* upgrade FW logic */
> ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
There is a call to release_firmware() after csio_hw_prep_hw()
/* upgrade FW logic */
ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
hw->fw_state, reset);
/* Cleaning up */
if (fw != NULL)
release_firmware(fw);
In case of memory allocation failure csio_hw_flash_fw() will return without
calling release_firmware() with this patch.
Following patch fixes this issue
csio_hw_flash_fw(struct csio_hw *hw, int *reset)
return -EINVAL;
}
+ /* allocate memory to read the header of the firmware on the
+ * card
+ */
+ card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
+ if (!card_fw)
+ return -ENOMEM;
+
if (csio_is_t5(pci_dev->device & CSIO_HW_CHIP_MASK))
fw_bin_file = FW_FNAME_T5;
else
csio_hw_flash_fw(struct csio_hw *hw, int *reset)
fw_size = fw->size;
}
- /* allocate memory to read the header of the firmware on the
- * card
- */
- card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
-
/* upgrade FW logic */
ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
hw->fw_state, reset);
WARNING: multiple messages have this Message-ID (diff)
From: Varun Prakash <varun@chelsio.com>
To: Colin King <colin.king@canonical.com>
Cc: "James E . J . Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scsi: csiostor: avoid null pointer dereference on card_fw allocation failure
Date: Thu, 2 Aug 2018 20:23:41 +0530 [thread overview]
Message-ID: <20180802145339.GA1671@chelsio.com> (raw)
In-Reply-To: <20180801161743.22301-1-colin.king@canonical.com>
On Wed, Aug 01, 2018 at 05:17:43PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> Currently if card_fw fails to be allocated then a null pointer
> dereference occurs on card_fd when calling csio_hw_prep_fw. Fix this
> by checking for a failed allocation and returning -ENOMEM.
>
> Detected by CoverityScan, CID#1271213 ("Dereference null return value")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/scsi/csiostor/csio_hw.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
> index a10cf25ee7f9..aa637e9ea9ba 100644
> --- a/drivers/scsi/csiostor/csio_hw.c
> +++ b/drivers/scsi/csiostor/csio_hw.c
> @@ -2275,8 +2275,8 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info,
> }
>
> /*
> - * Returns -EINVAL if attempts to flash the firmware failed
> - * else returns 0,
> + * Returns -EINVAL if attempts to flash the firmware failed,
> + * -ENOMEM if allocation failed, else returns 0,
> * if flashing was not attempted because the card had the
> * latest firmware ECANCELED is returned
> */
> @@ -2321,6 +2321,8 @@ csio_hw_flash_fw(struct csio_hw *hw, int *reset)
> * card
> */
> card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
> + if (!card_fw)
> + return -ENOMEM;
>
> /* upgrade FW logic */
> ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
There is a call to release_firmware() after csio_hw_prep_hw()
/* upgrade FW logic */
ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
hw->fw_state, reset);
/* Cleaning up */
if (fw != NULL)
release_firmware(fw);
In case of memory allocation failure csio_hw_flash_fw() will return without
calling release_firmware() with this patch.
Following patch fixes this issue
csio_hw_flash_fw(struct csio_hw *hw, int *reset)
return -EINVAL;
}
+ /* allocate memory to read the header of the firmware on the
+ * card
+ */
+ card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
+ if (!card_fw)
+ return -ENOMEM;
+
if (csio_is_t5(pci_dev->device & CSIO_HW_CHIP_MASK))
fw_bin_file = FW_FNAME_T5;
else
csio_hw_flash_fw(struct csio_hw *hw, int *reset)
fw_size = fw->size;
}
- /* allocate memory to read the header of the firmware on the
- * card
- */
- card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL);
-
/* upgrade FW logic */
ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw,
hw->fw_state, reset);
next prev parent reply other threads:[~2018-08-02 14:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-01 16:17 [PATCH] scsi: csiostor: avoid null pointer dereference on card_fw allocation failure Colin King
2018-08-01 16:17 ` Colin King
2018-08-02 14:53 ` Varun Prakash [this message]
2018-08-02 14:54 ` Varun Prakash
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180802145339.GA1671@chelsio.com \
--to=varun@chelsio.com \
--cc=colin.king@canonical.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.