The following patch aims to fix a possible NULL-ptr-dereference that occurs if a call to get_ep_from_tid() fails to assign nonzero value.
Upstream commit 283861a4c52c1ea4df3dd1b6fc75a50796ce3524 has been backported up to version 5.15. For some reason, older stable branches have been ignored.
This backport can be cleanly applied to 4.19, 5.4 and 5.10 versions.
v2: Add stable maintainers as patch recepients.
From: Nikita Zhandarovich n.zhandarovich@fintech.ru
commit 283861a4c52c1ea4df3dd1b6fc75a50796ce3524 upstream.
If get_ep_from_tid() fails to lookup non-NULL value for ep, ep is dereferenced later regardless of whether it is empty. This patch adds a simple sanity check to fix the issue.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 944661dd97f4 ("RDMA/iw_cxgb4: atomically lookup ep and get a reference") Signed-off-by: Nikita Zhandarovich n.zhandarovich@fintech.ru Link: https://lore.kernel.org/r/20230202184850.29882-1-n.zhandarovich@fintech.ru Signed-off-by: Leon Romanovsky leon@kernel.org --- v2: Add stable maintainers as patch recepients.
drivers/infiniband/hw/cxgb4/cm.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c index ea3ddf0d241142..ced615b5ea096e 100644 --- a/drivers/infiniband/hw/cxgb4/cm.c +++ b/drivers/infiniband/hw/cxgb4/cm.c @@ -2676,6 +2676,9 @@ static int pass_establish(struct c4iw_dev *dev, struct sk_buff *skb) u16 tcp_opt = ntohs(req->tcp_opt);
ep = get_ep_from_tid(dev, tid); + if (!ep) + return 0; + pr_debug("ep %p tid %u\n", ep, ep->hwtid); ep->snd_seq = be32_to_cpu(req->snd_isn); ep->rcv_seq = be32_to_cpu(req->rcv_isn);
linux-stable-mirror@lists.linaro.org